We have recently discovered a large, coordinated attack on websites that utilize the free, open-source WordPress blogging software. This attack is affecting customers of many hosting companies both large and small around the world. If you operate a website using WordPress, please keep reading, even if you aren’t a customer of Hands-On Web Hosting.
There is a network of compromised home computers and servers that are being used to attack WordPress sites around the world. This network is attempting to access the admin areas of WordPress sites with brute-force attacks (repeatedly attempting logins with commonly used passwords and other common words). If your admin password is compromised, your WordPress installation is then hacked and becomes a part of this global network, using your account resources to attack other WordPress sites.
If you’re a customer of Hands-On Web Hosting, our shared hosting servers are protected as we use 1H monitoring software which limits excessive resource usage to individual accounts, protecting the server as a whole. However, these attacks can still cause your website to go offline from the excessive login attempts even if your password isn’t compromised. If you are on dedicated, VPS or cloud hosting then the excessive usage can cause your entire server to crash. If you don’t host with us, you will want to contact your hosting company to determine what security measures they have in place for these kind of attacks, or better yet, let us move you to Hands-On!
There are a number of things you can do as a WordPress site owner to protect yourself and limit the impact these attacks have on your website:
1. Make sure your WordPress installation and all plugins are up to date
2. Install a third-party WordPress security plugin designed to limit login attempts, such as Better WP Security.
3. Ensure that your admin password is secure (use random upper and lower case letters, numbers, and special symbols–NEVER use common words, phrases, names, birthdates, etc.)
4. Use a different admin login name other than “admin”, as most attacks will use this login name
5. Use .htaccess rules to restrict access to your login page
If you have questions regarding the security of your WordPress site, even if you aren’t yet a customer of Hands-On, please don’t hesitate to contact our helpdesk.
The post Global Attack on WordPress Sites appeared first on Hands-On Web Hosting.