latest update

Global Attack on WordPress Sites

Dear Clients,

A large distributed brute force attack against WordPress sites is understood to be occurring. A large botnet with more than 90,000 servers is attempting to log in by cycling through different usernames and passwords.

This is an on going global attack on Wordpress installations to crack open admin accounts and inject various malicious scripts. Security firms have been tracking an escalating number of "brute force" attacks against WordPress installations, which have been trying out logins such as "admin" and then running through thousands of commonly-used passwords to try to break in.

Reports also claim that Wordpress instances across several hosting providers are being targeted. Since the attack is highly distributed in nature (most of the IP’s used are spoofed), it is making it difficult for any of us to isolate and block all malicious data generating IPs or websites.

To ensure that your websites are secure and safeguarded from this attack, we recommend the following steps:

1. Update and upgrade your wordpress installation and all installed plugins
2. Install the security plugin listed there
3. Ensure that your admin password is secure and preferably randomly generated
4. Other ways of Hardening a WordPress installation are shared at http://codex.wordpress.org/Hardening_WordPress
5. Backup your website files, database and resources after every change

These additional steps can be taken to further secure Wordpress websites:

• Disable DROP command for the DB_USER .This is never commonly needed for any purpose in a wordpress setup
• Remove README and license files (important) since this exposes version information
• Move wp-config.php to one directory level up, and change its permission to 400
• Prevent world reading of the .htaccess file
• Restrict access to wp-admin only to specific IPs
• A few more plugins – wp-security-scan, wordpress-firewall, ms-user-management, wp-maintenance-mode, ultimate-security-scanner, wordfence, http://wordpress.org/extend/plugins/better-wp-security/. These may help in several occasions.

Taking these few steps will ensure that you are improving the safety of your Wordpress site.

Please feel free to contact us for any further clarification or assistance.