It was weeks ago since the highly-distributed global attack on WordPress installations across virtually every web host in existence started. Today, it is very unfortunate that these attacks remain and still on-going.

This attack is well organized and again very, very distributed; According to Krebson Security a Texas based web hosting company, one of the largest hosting providers in the United States, suggests that the botnet of infected WordPress installations now includes more than 90,000 compromised sites.

At Jolly Works Hosting we are taking several steps to mitigate this attack throughout our servers, but in the same breath it is true that in cases like this there is only so much that can actually be done, and first line defense is YOU. So we've highlighted few recommendations that Anthony Wing Kosner wrote on Forbes.com. Please take time to read and follow these recommendations below to minimize the risk of your WordPress site being compromised.

  1. Avoid Obvious Passwords: A simple check of the security requirements recommended by WordPress will make brute force attacks much more difficult. As Mike Isaac points out in All Things D, “Hackers go after the low-hanging fruit, which is most often found in the novice Web users who don’t take the time to switch from their default login information.” A secure password is a mix of at least eight upper and lowercase letters, numbers and the kinds of ‘special’ characters used to depict curse-words (^%$#@*)!
  2. Ditch The Admin Username: The attackers are in possession of 90,000 IP addresses from which they are trying to crack the default “admin” accounts on WordPress installations. So if you are still using “admin,” create a new user with admin privileges (you will need to use a different email address than the one attached to the current admin) and give it a strong password as defined above. Then log back in as the new user and delete the old admin account and assign all of the posts in that account to the new user. Five minutes, tops.
  3. Use Two Factor Authentication on WP.com: If you have a WP.com account, take advantage of their two-step authentication which assures that you are a human logging in, not a bot.
  4. Update WordPress: Many hackers exploit holes that have ben identified in older versions of WordPress, so keeping your install up to date is another easy way to avoid trouble, though this is not as immediately relevant as the above two action items. WordPress founder Matt Mullenweg advises that if you do these first three “you’ll be ahead of 99% of sites out there and probably never have a problem.”
  5. Install A Security Plugin: Using something like the Better WP Security plugin is probably agood idea in general, it won’t do anywhere as much in this case as the suggestions higher up the list. Mullenweg writes, “Most other advice isn’t great—supposedly this botnet has over 90,000 IP addresses, so an IP limiting or login throttling plugin [like Better WP Security] isn’t going to be great (they could try from a different IP a second for 24 hours).”
  6. Consider A Service Like CloudFlare: The Ars Technica article recommends, “operators can sign up for a free plan from CloudFlare that automatically blocks login attempts that bear the signature of the brute-force attack.” Just remember that, as Mike Isaac points out, CloudFalre itself has been “ringing the alarm bells (while simultaneously pimping the company’s own security services.)” See this post from the CloudFlare blog that raised this issue to the awareness of Goodin and Isaac, and make your own judgement.
For added security, you may also visit this KB article. Shall you need help on this, please do not hesitate to contact us at support@jollyworkshosting.com.

Saturday, May 25, 2013





« Enrere