On April 11 I became aware of “brute force” login attempts on WordPress sites world-wide – I read of it on a few LinkedIn discussions, followed some of the links, and realized this was a major assault on WP sites. The focus of the attack was on sites that use “admin” as the username and easily guessed passwords for the password for the Administrator account(s). One of the first things I learned when working with WordPress is that you should NEVER use “admin” as a username and use SECURE passwords. I have never used “admin”, but have been inconsistent in using truly strong passwords.
I did a quick check of the multiple WP sites I manage (on Thursday afternoon/evening). They are on a variety of hosting services, including GoDaddy, which seemed to be one of the primary targets. Yes, there was evidence that the sites were under attack. My basic WP setup includes a plugin called Bad Behavior, and it was logging (in some cases) hundreds of attempts to log in to sites using “admin” and passwords such as 123456789, aaaaaa, a1b2c3b4, password, etc. But that’s all these were, attempts. In some cases, the sites had slowed to a crawl for visitors. None of the sites were “down”, just slow, and none of the sites were compromised.
I read voraciously to find out what else I could do to protect the sites, and one plugin was highly recommended – Limit Logins. It would lock out the IP someone attempting to login after 3 unsuccessful tries, and log the IP, thereby halting repeat attempts from that particular IP. I installed that plugin on sites also, on April 12-13. Reviewing the logs over the next few days, several of the sites have had IP’s locked, which means less spam traffic trying to log in, and site performance improvement in spite of the “attack”.
Not all, but several of the WP administrator accounts were inaccessible for a few hours on Friday morning, April 12, due to hosting providers blocking backend access to everyone. Access was restored by afternoon, and no sites actually went down.
Over the weekend I continued to read and follow the news and monitor the websites under my control – the attack continues, as evidenced by the Bad Behavior logs and lockout stats on multiple sites.
During the first few days of this week I have taken two more steps to further secure my own computer and sites – LastPass and CloudFlare. If successful, I will be contacting clients and recommending actions.
LastPass is a random password generator that creates very strong, very secure passwords, and remembers them so you don’t have to. All you need is ONE password (the “last” password you’ll need to remember!) to access and activate LastPass and it does the rest. I’ve actually had it on my computer and started to use it on a couple of sites some time ago, but did not use it consistently. I am making a determined effort to get ALL my passwords secure and safe in LastPass. The Premium version syncs across your mobile devices (tablets and smartphones) and is only $12 a year (that’s $1 a month!!) http://lastpass.com
CloudFlare is a CDN (Content Delivery Network) that filters out bad traffic, and optimizes the delivery of your website to legitimate visitors. A simple DNS change routes visitors through CloudFlare’s network, with a significant improvement in performance and a decrease in spam and other attacks. Of interest – sites on CloudFlare were protected from the recent brute force attacks and have little to no “attempts” or lockouts. I added my business site today (April 17) and look forward to improved speed on the site and lower stats on Bad Behavior and Limit Logins. http://cloudflare.com
Security of any website, WordPress or otherwise, is an ongoing battle. Because WordPress is so widely used, it’s a frequent target for spammers and hackers, but there are steps you can take to make your WordPress installation unique, less susceptible to spam, and more difficult to “hack”. Using CloudFlare’s CDN adds a layer of protection to whatever steps you choose to implement in your WordPress installation.
I will be following up with each of my clients and providing a report on how sites were affected (or not affected) by this recent activity, and recommending steps to improve security. It’s “all in a day’s work”, but one part of my workday that could be eliminated and I would not miss it one bit.