There is a major online attack of WordPress sites going on at the moment. A huge network of botnets are trying to hack WordPress sites by going into the login on your admin login page. Once in, they can add code to your site that will in effect add your computer to their growing network. You may have noticed some unusual traffic on your site lately or if you have a plug in called Limit Login Attempts you will be getting frequent notices of unauthorized login attempts. This is a serious matter and it is putting a strain on many servers. Luckily there are some steps you can take to protect your site and you need to do them immediately.
First off, the most common problem is using “admin” as your login and a really easy password. The hackers know this are are doing their very best to attack these sites first. I know, admin is a non changeable login if you are like most WordPress installations. That’s ok, there is a fix which I will splain’ in a moment. The biggest thing is to put in a strong password, some sort of code only you understand. No words, no phrases, no common things likes “password1″. Google “password generator” and you can find some good, free ideas.
Next, if you have others who access your site make sure they have strong credentials too. Otherwise kick them out. Be strong on this one. Your site is only as strong as the weakest link. If you have guest writers or bloggers, they had better have strong credentials, otherwise block them out and have them email their contributions directly to you to edit.
Now for some important precautions. There are three free plugins you need to add right now and set up on your site. No argument, do it now.
1. Captcha an incredibly simple plugin. It adds a math problem when somebody tries to login, and you can add to other parts of your blog like in the comments and on forms. It’s easy to set up and only takes a few moments.
2. The aforementioned Limit Login Attempts. This will block out anyone who fails to login correctly to your site with the correct login and password. You can set it up to be as strong as you want with two layers of blocks. One blocks for a certain number of minutes after a set number of attempts, the other can be set for hours after a certain number of attempts. You can program it to reset after so many hours, like a day or so. It will also send you an email with the ip address of the hacker who tried to get into your site. If you self host and have the ability, you can add that ip address to a list on your control panel for your server to permanently block the address. Given that there are over 90,000 ip addresses involved in this attack, you won’t get them all, but it does weed out the individual attackers.
3. Better WP Security. This is a big one and somewhat complicated but it does a good job. This plugin adds many new layers of security into your site. It allows you to change that admin login to something else, recommends more better passwords, limits login attempts, and much more. Be very careful using this plugin as you can crash your site if you are not careful. One of the first things it does is makes you back up your site so if a crash occurs you can rebuild it again. Follow the steps for the settings and do what you are comfortable with. If there is something you are not sure about, get some help from your host.
Some other things to watch. Spam comments seem to be on the rise too. Nike Jordans, fake brands, and the like. The comment is vague without really addressing the subject matter, and usually has some bad english in it. Spam or trash these. In your settings/discussion tab you can limit comments, require that they be approved by you, and put a time limit on them. You can also start a list of key words that you find in the comments so they will automatically go to spam or trash. Delete all the bad comments at once and never ever reply to any of them. They are computer generated and Darwin knows whats lurking behind them.
That’s about it for the moment. I hope I AM scaring you a bit because if you are running a WordPress site you need to be taking these precautions to protect your site and your computer. If you ain’t sure, get some help from your host or even email me personally and I will help walk you through some of the more complicated bits. But if you can put up a site on your own, you should be able to handle all these plugins and precautions.
BTW, as far as I know this is only for those who are using WordPress.org and not WordPress.com sites. There is a big difference.
So good luck, get to protecting your site right now, and don’t let the little bastards beat you. Let me know if any of you are having similar problems and what you are doing to fight it.