Over the last few weeks WordPress-based websites across the globe have come under attack. Malicious computers have been attempting a ‘brute force’ attack that has made sites run slowly, taken some sites down, and possibly broken into and infected others.

This is a note, intended for my clients, but that will be useful to anyone that doesn’t know about the attack, doesn’t quite understand what’s gone on, and that wants to know what to do about it and how to stay safe. Because it’s intended as information for my clients, it may sound like it’s an ‘ooh, look at me and all things things that I do’ kind of post, for which I can only apologise.

NOTE: This is not an in-depth technical explanation! It’s an attempt to explain in layman’s terms what is going on. In simplifying the terminology, I may even write things that are slightly incorrect. The aim here is high level underdstanding, not detailed technical write up.

Viruses, Trojans, Spam

First of all I should say that computer attacks and viruses are common. Even normal. We all get spam email. And many of us have heard about viruses and ‘trojans’ that can infect our PC’s. These things are part of digital life as much as coughs and colds and tummy bugs are part of normal human life.

And like normal human life has vitamins, balanced diets, exercise and hygeine to help ward off bugs, there are things we can do in the digital world to keep things from harm.

Anti-virus software is one example, but there are also things you can do if you own a website to protect you or yourself or your organisation.

This Attack

The current WordPress attack is a ‘brute force’ attack. Brute force attacks aren’t clever and can be easily defended against. In this case the attack works on the fact that WordPress comes with some default settings, and if you don’t change those then gives the attacker a head start on breaking in.

For example, WordPress comes with a default link to login to (/wp-admin), and a default administrator username (admin). So if I go to http://yoursite.com/wp-admin and enter admin as the username, the only thing I’m missing is the password. I’ve already got two of the three bits of information needed to login.

And WordPress doesn’t care how many times I try and log in. So an attacker can just create a program that tries to login repeatedly using lots of different passwords, trying to gain access.

And that’s exactly what has been happening to WordPress sites across the world recently.

If you have a WordPress website where you’re using the default settings and have an easy to guess password, then you’re at risk. It’s not yet clear what you’re at risk of; breaking end entering is just the first step in something that is probably much bigger.

The Effects

The effect of this attack is that, because the attackers are repeatedly and frequently trying to login to websites, those computers that run those websites are suddenly under a great strain trying to process all the login requests. This slows them down and can cause them to break entirely.

Of course, if an attacker gains access then lots of other problems could potentially follow, but I’ve not yet seen an analysis of what the attack does once it’s broken in.

Good Practice

There are hundreds if not thousands of blogs posts and articles about protecting WordPress. The following is a list of steps you can take that will remove most of the risk of this kind of attack.

1. Use a strong password.
2. Don’t have ‘admin’ as your administrator username.
3. Use a plugin that locks out people who make lots of failed login attempts.
4. Take backups
5. Monitor your site
6. Keep your software up to date
7. Disable plugin and theme editing

1. Use a strong password

As far as client passwords are concerned, I don’t have that much control. It’s really up to the individual to make sure that your password is good enough to avoid a brute force attack. This means avoiding single words that are in the dictionary; names, places, dates, etc that could be associated with you; simple combinations like ‘abc’ and ‘123’.

I’d encourage you to use a long password (10 characters or more) with lower case letters, upper case letters, numbers and symbols (like £, %, #). I’d encourage you to use different passwords on different websites too. And there’s a load more detail on how you can achieve this in a previous blog post.

As for me…well, I’m not giving my secrets away, but yes, I do follow my own rules, and them some! Clients don’t need to worry about me having an account on their website.

2. Don’t have ‘admin’ as your administrator username

This is pretty self-explanatory and since I started working with WordPress this is something I’ve done. Again, client websites aren’t at risk here.

If you run your own website and have an ‘admin’ user then I’d recommend taking steps to create a new admin user and delete the old one. Read about how to do this in some of the articles referenced at the bottom of this post.

3. Use a plugin that locks out people who make lots of failed login attempts

The idea here is that a brute force attack could come from a single location, and there are plugins that will lock out access to your site after a set number of failed logins from the same place that would prevent that.

The two plugins I know that do this, that seem to be most recommended are:

I install one of these on all new sites and, if you run a WordPress site, you should have one installed too.

This wouldn’t actually defend you against the current attack, which is being made from a co-ordinated system of nearly 100,000 locations. But it might defend you from other, simpler attacks.

4. Take backups

If you don’t know what a backup is, it’s a copy of your website files that you keep safe. It represents a snapshot in time of your website’s software and content, and taking and keeping a backup allows you to ‘restore’ your site to the point in time at which the backup was taken.

This is good practice anyway and can be useful for all sorts of reasons. But during this time of attack it may be the only way you can get your site back if you are broken into..

There are two things that you need to back up with a WordPress site:

  • the files that make up your site
  • the database that contains the content and settings for your site

It may well be that your hosting company takes backups and can help you restore your site in an emergency. But if not, or if you’re not sure what your hosting company’s arrangements are then it’s really worth taking your own backups.

There are a variety of tools – plugins, management tools, and specific backup services – that can help you do this. I won’t cover the details here as its worthy of a blog post of its own.

I, personally, use a management tool that allows me to do a whole load of things, including backups. These are done once a week and stored with a secure, resilient storage service, so clients can be sure that their site is safe and can be restored in the event of a security breach.

5. Monitor your site

This isn’t quite so key, but can reduce the time that your site is out of action for. I use a monitoring service to make sure that websites I manage are working OK and to alert me if there are certain problems. In most cases this is just making sure that the homepage is responding, but it’s possible to do more complex tests for more specific conditions.

I can really recommend StatusCake for this kind of monitoring (please use my affiliate link if you’re interested)

There are other, more expensive services that can do more sophisticated things, like regular security checks, too.

6. Keep your software up to date

This, again, isn’t directly related to brute-force attacks, but is a good security measure to take.

The main WordPress software (referred to as the ‘core’) and any plugins installed, will all have occasional updates, and these updates will sometimes address security issues. So keeping software up to date is another step to keeping your site secure.

The management tool that I use helps me keep software up do date by allowing me to do bulk updates, which I do in conjunction with my backup schedule, so that if something goes wrong, I can easily ‘undo’ the update.

I compared WordPress management tools in a blog post a while back.

7. Disable plugin and theme editing

This is a pretty simple and vital security measure which I’m putting in place on all new sites and which I’m in the process of implementing on existing sites. I’m doing this in response to the very few hacked client sites that I’ve had. On reviewing the details of exactly what happened, I found that the hacker had used the existence of the plugin and theme editors to carry out the attack.

There is a simple, one-line change that can be made to the WordPress configuration that disables these editors and prevents this kind of attack. To do this, simply edit wp-config.php and add, towards the bottom:

`define( 'DISALLOW_FILE_EDIT', true );

Having been hacked this way, I’m kinda amazed that this is enabled in WordPress by default. But it is, and I’m disabling it on all sites from now on.

I’m indebted to WP Beginner for the tip on how to do it, though it’s worth noting that they do it for a different, but equally good reason.

Additional measures

It’s also worth noting that most hosting companies – including mine – have implemented additional security measures to reduce the risks of this attack. This usually takes the form of an additional login screen or pop-up where the username and password are provided for you in the prompt, or by a “captcha” – one of those things where you type in the jumbled-looking word shown to you.

So if you see an additional login prompt, follow the instructions or enter the username and password provided.

Summing up

I hope that’s explained what’s going on and what steps I’ve taken, or am taking, to keep your sites safe.

There’s loads more information and security advice out there and the following blog posts have informed this article and my own approach, and include further tips and tricks on keeping your site secure.