WordPress Brute Force Attack

We haven’t been doing anything this week to protect our clients’ sites from the recent WordPress brute attack. We don’t need to. That’s because we take security seriously before anything bad happens. So far we’ve been able to sit back and watch while everybody panics. Here’s why.

Brute Force attacks are not fun.

Brute Force attacks are not fun.

A brute-force attack against WordPress sites.

A distributed denial of service attack on WordPress sites was first reported earlier this month. The attack is “huge”: over 90,000 computers are initiating the attack. Hackers are using these computers to target websites’ administrator panels using brute-force attack methods. The threat is so serious that the United States Computer Emergency Readiness Team (CERT) is advising administrators of WordPress sites to take immediate steps  to secure their installations.

How we protect WordPress against attacks.

We know our clients wouldn’t want to hire a security guard to protect their premises who didn’t bother to lock the doors of the building at night. Likewise, we take steps to make sure that our clients’ sites are “locked down” rather than wait for intruders to get inside their servers.

We take a proactive stance toward WordPress security. We have standard security procedures in place for all our maintenance clients that prevent their WordPress installations from falling victim to an attack in the first place.

 If you do not have a maintenance contract with us, we suggest you to take these steps immediately:

  • Enable CloudFlare. CloudFlare is a performance and security service we enable on all our maintenance clients’ servers if possible. CloudFlare has been growing in popularity lately, but we’ve been using them since mid-2011, just 8 months after their launch.

  • Ensure WordPress and the underlying server infrastructure are kept up to date with the latest releases.

  • Continually monitor your site’s uptime and performance. We have set up an alert system for our clients that sends us a message immediately if their sites go down or performance metrics reach a certain threshold.

Also see our 10-point guide on WordPress security.

User-level steps to increase WordPress security

There are several user-level tasks that increase security that we recommend everyone using WordPress take immediately. We help all our clients with this.

  • Change all passwords. Make sure you use a strong, and unique password. We recommend LastPass for storing passwords. We also have a password generator that will generate a strong random password for your convenience.

  • Enable two-factor authentication. We can help you install the Google Authenticator plugin in your WordPress installation.

  • Make a backup. (If you’re already a client, we’ve got you covered.)

Also check out our post on using 2-factor authentication and other security measures.

How can you tell if your WordPress site is compromised?

The experts believe this attack is intended to enlist hacked servers into a botnet. This means that it may not be obvious whether your site has been compromised or not. If you have not taken the precautions described above, it may have been. Even if it has not been hit by this attack, the experts are also warning this could be just the beginning of something much larger and more devastating.

If you believe your site has been compromised, if you’re unsure, or need help implementing these security measures to protect your WordPress site from future attacks, please get in touch.

You can drop us a line or call us at 800.270.5170.

Have your sites been compromised? What do you use to protect your site? Tell us in the comments.

Tags: , , , , ,