ATTENTION WORDPRESS USERS – There is a brute force attack happening right now aimed at WordPress sites. If you have a WordPress site, you need to make sure your site is secure and able to withstand an attack.
The goal of a brute force attack is to find a vulnerability that can be exploited to use a website to send spam, host malicious content, steal your website data, spamvertise or use your website to attack other web sites. If your site falls victim to one of these attacks it can cause your site run slower, be placed on spam lists that will affect the delivery of email from you or even have your site crash or be shut down by your server. While no site is totally safe, there are some things you should do to make your site as secure as possible.
First, use strong passwords for your WordPress login. That is the easiest way for someone to gain access to your site. Make sure you use something other than Admin for your user name. That’s been the default user name so changing it makes the login process more difficult. A strong password should be a combination of upper and lower case letters plus numbers and symbols. The longer the password string, the longer is it takes hacking software to run all the possible combinations against your login.
Secondly, make sure WordPress, your themes and plugins are up to date. Because of the immense popularity of WordPress, it’s become a favorite target for hackers. Much like your anti-virus program on your computer is continually updating, so too is WordPress. Some WordPress installations will automatically update when new versions are available, many don’t. If you’re is one that doesn’t, you will need to manually update your WordPress version. When you login to your WordPress dashboard, it will show you the version you are running as well as the current version available. As of the time of this article, the current version is 4.2.2.
Before pushing the Update To Current Version button, READ ON! As a general rule, updating to the latest version is as simple as pushing the button. BUT, if you haven’t updated in a while, the automatic update can cause your site to crash. While it can be recovered, it’s not something most people are comfortable doing. The first thing you need to do is backup your site. There are several WordPress plugins that will backup your site. Next, check your current version. If you are running a version lower than 4.0, you may need to install older versions step by step. Prior to 4.0, Wordpress did not like skipping major versions (i.e version 3.3 could not be updated to 3.6 without installing the major releases in between).
Plugins on your site will also need to be updated. On the Updates page in your WordPress dashboard, it will show the plugins that have a newer version available. In the more recent WordPress release, the update list will show whether the plugin is compatible with the newest version or not. If it show it is, install the plugin update. If it doesn’t show that, you need to decide if it’s worth the risk to update. Worst case scenario – installing an incompatible plugin can cause your site to not work properly. I’ve seen blank pages, forms that didn’t send emails like before and even the site come up blank. To be safe, install the plugins one by one, checking your site in between each update.
Updating your theme is another issue. If your theme was not modified beyond the dashboard customizations, then it’s probably safe to update. If you made changes directly to the code, you definitely DON’T want to update. Updating will overwrite the existing code and lose any changes you had made.
Finally, install a security program to add another layer of protection to your site. The plugin I prefer is Wordfence. It allows you to throttle back page or login attempts when the happen. I set the page views per minute to 10 or less. I also limit the login attempts to 5 or less, locking out any attempts over that for a period of time. Wordfence also sends warning notifications. If you find an IP that has been temporarily lock, you can add that IP to your permanent block list which will prevent it from repeated attempts. This is only a minor fix, since sophisticated hackers can use multiple IP addresses.
WordPress is a powerful web platform, with it’s versatility and ease of use, but with that comes the security risk. Gone are the days of build you site and let the server security take care of the risks. Today, you must take an active role in protecting your site. Be vigil, you never know when someone is probing your site for an opening.