There is a very real, very large ongoing security attack against WordPress sites. It has been going on for a while now, but it severely escalated last week. With over 64,168,500 WordPress Sites worldwide, hackers have become attracted to WordPress because they can cause a lot of damage and retrieve a large number of passwords in a limited amount of time.
According to CloudFlare CEO Matthew Prince, the attack is using brute force against WordPress’ admin pages using the old default username “admin” and then trying thousands of passwords. There’s nothing new about that approach, but what makes this attack different, and particularly potent, is that the attackers have some 90,000 unique IP addresses at their disposal. The weakness is not in the software, and the philosophy of sharing knowledge to create affordable software has always been the intention; unfortunately the continued use of default usernames such as “admin”, “moderator”, “Administration” and “editor” seem to be at fault here.
Researching the attacks and what the experts suggest you can do to protect your websites, much of what you can do is more technical than practical, however they do suggest that you update your passwords to be something a bit more challenging – and not common, nor the same password you’re using for your online banking, Dropbox etc.
In this article, http://ithemes.com/2013/04/15/ongoing-wordpress-attacks-details-and-solutions/ it suggests ways of creating better passwords, however we, as humans, are not very good at it. They recommend a site called LastPass https://lastpass.com/ (it creates and stores passwords for you). A client actually uses this site and has nothing but great feedback.
Chris Jean, the author of the article wrote:
“LastPass is a password service. It centrally manages all of your passwords and has tools to easily create very complex passwords. It even has browser integration features that allow you to have LastPass automatically fill in the login details for you (no typing required). LastPass also offers apps for mobile and tablet platforms and has a web interface in case you need the password and can’t get it any other way.
Using LastPass allows me to have extremely complex passwords that I could never remember and would hate to type in on every site I use. I vary the length of my passwords that it generates, but they are always more than 25 characters as long as the site allows it. 25+ characters of more or less random characters… Good luck brute force guessing that in my lifetime.
The key to using LastPass is having a good password to authenticate your user there. This is the only password you will need to remember; so make sure that it is a good one. Don’t do yourself the disservice of having your one weak password give full access to all your strong passwords.”
We recommend that you UPDATE YOUR PASSWORDS ASAP – and seriously consider using LastPass for all your online passwords.
In addition, for those using WordPress.com, consider using the new Two Step Authentication: an optional new feature to help you keep your WordPress.com account secure.
According to WordPress.com “Two Step Authentication works like this: when you log in to your WordPress.com account, we’ll prompt you to enter a secret number. To get that secret number, you’ll need to download the Google Authenticator App on your smartphone. It generates a new number every 30 seconds, making it virtually impossible to guess. All you need to do is open the app on your phone, and type in the number it’s showing. If you don’t have a smartphone, you can instead opt to have the number SMSed to you.” You’ll find a new security tab in your WordPress.com account settings that will walk you through the set up.
Vigilance is the key, and any security measures you can put in place to protect your websites should be used. There will always be hackers – we just need to stay one step ahead of them!
If you’re overwhelmed, struggling to get things done, or recognise you need some assistance, organise a call with me to discuss your business support needs.