(written 04/12/2013) Earlier this week, I was introduced to breaking news of a massive attack on WordPress sites. An ecommerce site that I’d worked on was experiencing broken code. I contacted hosting’s tech support and they let me know they had been experiencing hack attacks on their servers. In order to keep all their servers running, they had to tighten the server’s security, which in turn, broke my client’s ecommerce site.
That situation has been contained. Unfortunately, the brute force hacks continue to crash servers and gain strength. As I write this, attacks have tripled within the past month. I’m enclosing a number of links below that give more detail to the situation.
It’s very important for you to make sure your website does not fall into the hands of these hackers. Below the list of articles, I’m enclosing a to-do list of procedures that should be performed. I am currently performing these tasks on my current websites, the process takes about an hour and a half per installation.
Wired Magazine – 04/22
Statement from Homeland Security – 04/15
ABC News – 04/15
Webhosts Address the Hacks:
Webhost Technicians Working Together to Stop the Attacks:
>>> These brackets = “you should at least do this”
MAKE A BACKUP!
– Install “BackWPup” plugin and configure it to make a backup of all your files and your MySQL database. This plugin will continue to make a backup 4 times a year. It will also delete the previous backup once the new compressed file is created, so you will not run out of hard drive space.
MAKE WORDPRESS MORE SECURE!
– Install “Better WP Security” Plugin
>>> Create a new admin user with a special name (not “admin”)
>>> Your password should be 12 characters have upper and lower case, a number and a symbol.
>>> Change all WordPress user passwords.
>>> Delete the user called “admin”
– Change the default prefix “wp_” of the mysql tables
– Delete old WordPress themes that are not in use
– Check the permissions of directories to make sure only a logged in admin has access to write and save files (this should be fine, but it should be checked)
– Update WordPress and it’s plugins to the most recent software
MAKE YOUR WEB HOST SECURE!
– Change FTP password to something that does not use words. Your password should be 12 characters have upper and lower case, a number and a symbol.
– This is an important step! This will notify the server of any brute force attempts, before your wordpress system is triggered by the bot. Using the server “Cpanel”, click “Web Protect” (or “File Protect”), find the directory used to log into WordPress (“wp-admin”), create a password to access that directory. Test the url, if a prompt for a user name and password comes up, the site is secure. If you get an error or the prompt doesn’t come up, there is a conflict with the .htaccess file in the root directory. Contact tech support to have the web host fix this. They should be able to resolve it within a few minutes.
Let’s hope this virus is contained before it damages all our hard work.