Hackers Attacking WordPress Blogs
One might be forgiven for assuming this is a belated April Fools joke but in reality for those who’s websites were hacked it is far from funny.
Keeping the default settings on any Internet-connected service is just asking for trouble. It’s easy enough to scoff at people whose brilliant “12345” password fell victim to hackers, but it’s just as simple to target usernames. A number of WordPress bloggers discovered this the hard way, when their “admin” accounts became part of a hostile, exploitative botnet.
The attacks began last week, and have affected more than 90,000 blogs so far. The hackers behind the attacks have combed through WordPress accounts and attempted to guess passwords via brute force.
Their program cycles WordPress accounts through 1,000 common passwords. While this tactic is useless against savvy users, enough people utilize easy-to-guess passwords to make it worthwhile for the hackers.
After the hack compromises a user’s system, it drafts the blog into a botnet, a collection of compromised systems that communicate with one another and often come in handy for online attacks. Private blogs aren’t too useful in this system, but blogs that are housed on web servers are. Servers recruited into the botnet can attack a multitude of machines at once, and grow the system exponentially.
The ultimate goal of the botnet is a mystery; having administrative access to a number of blogs is not that useful in and of itself. However, a network of more than 90,000 compromised machines can wreak all sorts of havoc, especially in denial-of-service attacks.
Matt Mullenweg, a WordPress founder, took to his blog to provide some advice. He explained that hackers had been targeting users who never changed the “admin” username for their account — in retrospect, an obvious security risk. “If you still use ‘admin’ as a username on your blog, change it,” he recommended.
By using a strong password, turning on two-step authentication and updating to the latest version of WordPress software, users will “be ahead of 99 percent of sites out there and probably never have a problem,” Mullenweg said.
WordPress.com users would be wise to heed Mullenweg’s words, especially when it comes to two-step authentication. This won’t benefit the myriad bloggers who use WordPress software and host their work elsewhere, but Mullenweg’s other tips will still help.
If your blog has already been compromised, there’s not much to do at this point except change your username and password and hope for the best.
Help for Hacked Websites – Overview
Here is a quick video by Maile Ohye of Google’s Webmaster Support Team
Google has just released their “Help For Hacked Sites” section and it is really worth checking out, in case you need it (hopefully not).
Our 2 Step Strategy to Safeguard your WordPress site
I have always been in favour of increased security on WordPress installations and below are a few useful (free and paid) plugins that work to varying degrees and certainly help to minimise the risk that hackers will be successful. That said I have to admit that these plugins will not make a site 100% hacker proof. That’s why we have step 2 🙂
WordPress Security Plugins
1. Better WP Security – (Free)
Almost an “all-in-one” security plugin for WordPress. This plugin takes the best WordPress security features and techniques and combines them in a single plugin thereby ensuring that as many security holes as possible are patched without having to worry about conflicting features or the possibility of missing anything on your site.
- Scan your site to instantly tell where vulnerabilities are and fix them in seconds
- Remove the meta “Generator” tag
- Removes login error messages
- Change the urls for backend functions including login, admin, and more
- Create and email database backups on a schedule using wp-cron
- Ban troublesome bots and other hosts
- Completely turn off the ability to login for a given time period (away mode)
- Prevent brute force attacks by banning hosts and users with too many invalid login attempts
- Display a random version number to non administrative users anywhere version is used (often attached to plugin resources such as scripts and style sheets)
- Remove theme, plugin, and core update notifications from users who do not have permission to update them (useful on multisite installations)
- Remove Windows Live Write header information
- Enforce strong passwords for all accounts of a configurable minimum role
- Detect attempts to attack your site
- and, as I said, many more
2. BulletProof Security – (Free)
The BulletProof Security WordPress Security plugin is designed to be a fast, simple and one click security plugin to add .htaccess website security protection for your WordPress website. The BulletProof Security WordPress plugin is a one click security solution that creates, copies, renames, moves or writes to the provided BulletProof Security .htaccess master files. BulletProof Security protects both your Root website folder and wp-admin folder with .htaccess website security protection, as well as providing additional website security protection.
3. 6Scan Security (new kid on the block)
Provides automatic protection for your WordPress site against threats. The scanner goes beyond the rule-based protection of other WordPress security plugins, employing active penetration testing algorithms to find security vulnerabilities. These are then automatically fixed before hackers can exploit them.
- SQL Injection
- Cross-Site Scripting (XSS)
- Directory traversal
- Remote file inclusion
- Several DoS conditions
- And many more, including all of the OWASP Top Ten security vulnerabilities.
Step 2 – Protecting Your Site Against the Damage Caused By Hacking
Ok so if like me you want total peace of mind then here is my personal favourite bit of kit and one that has over the years saved more of my client sites than I care to admit. That is Jason Fladlien’s WP Twin. Designed to clone any WordPress installation in seconds and then restore that installation in just minutes. Best of all there is an automated version available that allows you to schedule automated backup/cloning on ALL your WordPress sites.
IF Your Site Is Hacked You Can Be Back Up In Minutes
Other Features to Consider
Let’s say you update to the latest version of WordPress and your blog breaks. What do you do? Well, if you cloned the older version – you can easily restore it. Doesn’t matter what version you started or ended with.
Since WP Twin is a web based application, it doesn’t matter what you use to backup, clone, and deploy your sites… With WP Twin, as long as you have an internet conneciton you can do it!
Everything on your WordPress site will be completely cloned. Not only your installed plugins and themes, but their configurations, as well as posts, pages, comments, permalinks, etc. Absolutely EVERYTHING!
You simply upload WP Twin to your site, go there with your browser, and click “clone.” That’s it…you’re done. You can then download your clone file. If you want to restore it later, just upload WP Twin with your clone file and click “deploy.” Done!
It is extremely rare a hosting account will not work flawlessly with WP Twin. Of course nothing is perfect when it comes to software, but our customers have proved that we’re about as close as it gets!
- In the rare instances where you may encounter problems, or even if you just have questions, we have well-trained dedicated support staff to help. We offer around-the-clock support via our help desk on weekdays and limited support on weekends.Mac Productions – The Final Word
What I love about WPTwin is the fact that they have one of the best and most helpful support teams I have had the pleasure of dealing with, so my advice would be to take action now before you get hacked and check out WP Twin – Even if you don’t install any security plugins this one thing can save you a ton of grief.