April 17, 2013 at 4:49 am #35914
I’ve heard about some pretty big attacks going on right now targeting WP websites. I was told attackers are using brute force against WordPress’ admin pages using the old default username “admin” and then trying thousands of passwords. There’s nothing new about that approach, but what makes this attack different, and particularly potent, the attackers have some 90,000 unique IP addresses at their disposal.I have read to check out a plugin called bulletproof security and consider buying an SSL.
Any advice? I’m a real newby, how do I buy these plug ins and an SSL?
Also, how do I get my site backed up outside of WP?http://April 17, 2013 at 8:39 am #35943
Unless you have another need, save your money on an SSL certificate and save your money on security plugins.
The 4 best things you can do are to not use a series of usernames, including:
Next, use strong passwords.
Third, whatever username you use, be sure to not publicly display it and if possible, turn off author archives.
Fourth, be sure the devices you access your server are secure. Compromised local machines are an easy way to steal server credentials.
A successful brute force attack, just like any successful login, requires both the username and a correct password. If you don’t use the username that the attackers are using, you’ve stopped the attack in its tracks.
There’s another aspect to brute force attacks, and that’s how they can become a denial of service (DoS) attack when repeated a large # of times in a short time frame. There’s no easy way for a “newby” to deal with this, because it involves doing things at the server level. If you’re on a shared server and don’t have server admin skills, you have to hope that your host is doing its job and monitoring the traffic on its network.
April 17, 2013 at 1:46 pm #35992
WPFence was just recommended to me… and I’m switching all my “admin” to NOT admin. When you say “Don’t display user name publicly”… is there a spot to do that??
Chrissy Morin – Your Web Chick – Denver COApril 17, 2013 at 2:07 pm #35995
When you edit a user, you’ll see a setting for Display name publicly as. If your Username is ChrissyMorin, you want to display something else (by filling in the first/lastname or nickname) and then using the dropdown on that setting, so attackers can’t easily learn your username. Of course, if your author archive is on a link with your username, one can figure out the username, so that’s why you need to avoid using author archives, which is harder to do on a multi-author blog.
Most security plugins come too late to do much help. If it’s a plugin, it’s PHP-based, and that means a potential attacker is already reaching your WP system. Because they have to examine each visitor, they also slow down your site.
If your site is set up with good security practices from the outset, almost all security plugins running under PHP aren’t going to help you much.
April 17, 2013 at 2:10 pm #35996
Ah ok, gotchat.. I use Yoast SEO plugin and it lets you “Turn off” Author archives.. guess I’ll put that on the to do list too.
No problems “SO FAR” but got a scary letter from my hosting company so I figured I should go through things.. on many old sites I have “admin” so I figure that’s the first thing to change..
Chrissy Morin – Your Web Chick – Denver COApril 17, 2013 at 2:34 pm #35997
Absolutely, drop admin accounts at once, and check all other accounts against the list I posted. The brute force attacks are using a narrow set of names and re-trying them over and over, so if your install doesn’t include those usernames, there’s no chance that this particular attack will succeed.
However, an attacker can still try to learn valid usernames on your WP installation and attempt to brute force those, so that’s why you want to keep those usernames private.
April 18, 2013 at 3:02 am #36101
I have started using http://www.securescanpro.com/ on my sites this week,April 18, 2013 at 9:36 am #36152
While I don’t intend to criticize any particular plugin, almost all security plugins in WP aren’t worth the time and the premium ones aren’t worth the money.
For example, plugins that scan WP installs for modified files imagine a WP setup where a web visitor CAN modify files in your WP install. If you set up your WP install so that a web user can’t write to folders with code and you access your server securely (via SFTP or SSH), scanning files isn’t necessary and ends up wasting resources that could be used to serve site visitors.
It’s the same with brute force attacks. If your site doesn’t have users with the usernames that attackers use to attack – and almost all attackers use a very, very narrow set of usernames – a brute force attack is never going to work.
It’s true that WP sites are successfully attacked every day, but the successful attacks are not because the site wasn’t running a security plugin. Attacks are successful because a) people run out of date WP or out of date plugins that have had identified security holes identified and patched, b) server credentials are compromised, sometimes because the PC that a user accesses the server is compromised, c) the WP install was set up insecurely from the start, or d) a user is tricked into installing a plugin from a bad source.
If you avoid those common problems, you don’t have to worry about WP security plugins.
You must be logged in to reply to this topic.