First off, Here’s Matt Mullenweg‘s blurb about the recent botnet attacks on WordPress sites. It’s good to listen to him because he’s the “founding developer” of WordPress, and the President of the company Automatic which is behind wordpress.com, among other things.
supposedly this botnet has over 90,000 IP addresses, so an IP limiting or login throttling plugin isn’t going to be great (they could try from a different IP a second for 24 hours)
I’ve been noticing a few popular shared hosting providers have been having infrastructure problems lately. I thought it was a coincidence, but after attempting to do some work on a client’s site hosted at Fatcow (not my favorite host, but they’re OK), I got hip to the fact there is actually a bit of internet-wide drama going on at the moment with WordPress sites getting hacked, or at least many attempts at this.
Here’s a message Fatcow sent out to its customers.
Important Information about Protecting Your WordPress Site
Dear [customer’s name],
Do you have a WordPress account with us? If so, we wanted to let you know about an attack on WordPress sites that started earlier this week, what we’ve done to combat it, and what you can do to protect yourself.
On Tuesday, a widespread “brute force” attack against WordPress started impacting sites across the internet. This attack is leveraging a botnet, which looks to have more than one hundred thousand different computers at its disposal. Its intent is very simple: to find and compromise WordPress sites with simple passwords, likely to use them later to distribute malware (and further increase the size of the botnet).
Over the past few days, we’ve made a number of changes to our network and infrastructure designed to mitigate the impact of this attack on our customers’ websites. Continue reading for a detailed account of what we’ve done »
Also, and we can’t stress this enough, we urge you to check your WordPress password and make sure it’s a strong one. The strong password guidelines in our Knowledgebase refer to your FatCow account password, but that advice is good for WordPress passwords, too!
We head into the weekend in good shape, but vigilant against a returning or altered attack. For those of you who have been impacted by these attacks, or our attempts to combat them, we do apologize for any service disruption. We also apologize for a longer-than-normal response time over the last few days while we’ve had “all hands on deck” addressing this issue. We appreciate your patience and understanding.
The FatCow Team
Bottom Line: Harden your WordPress site a little.
- Keep your WordPress Core software and plugins and themes up to date!
- Use Capitals, Lowercase, Numbers and Symbols in your passwords… Avoid guessable/dictionary words
- If you have a user called “Admin” or “admin,” take a moment to get rid of it.
- If installing from scratch, modify your database table prefix in wp-config.php to something other than “wp_”
- Never use any theme, plugin or hosting provider that forces you into leaving folder and file permissions set to be permanently extra lenient (if someone tells you to change a directory to 777, they don’t know what they’re doing or your hosting provider’s server settings are wack…)
- Stay on top of comment moderation. If you find yourself with thousands of unmoderated comments waiting for approval, and you don’t want to do the work, perhaps you’re not cut out for participating in that way with the masses, or you just don’t have the time. Just turn comments off!
There are TONS of free plugins that can help you scrutinize your WordPress install. I use this from time to time: WP Security Scan.