Lessons Learned From The Recent WordPress Hack Attacks
[et_pb_section bb_built=”1″][et_pb_row][et_pb_column type=”4_4″][et_pb_text _builder_version=”3.11″]
Updated 30/07/2018:
While the article itself is still just as relevant, and the attacks are only going to get worse as WordPress increases its market share, we have revised our recommended security plugins of choice to Shield Security. At the time of writing the article, Shield Security was known as ‘Simple Firewall’ and did what it says on the tin, provided a simple firewall on your WordPress site, similar to Wordfence, but not as sophisticated. Recently though it has been taken over by a new developer and redesigned as a full security plugin. It is easy to set up, and provides the security of both Wordfence and Bulletproof Security combined, so it is now our security plugin of choice.
The free version is fine for most websites, but given the price of the premium version, we have no hesitation in recommending the Pro version to all readers now.
==========
As most of you would know by now, there was a concerted, and concentrated, attack on millions of websites recently. Although attacks on websites built using the WordPress platform got the most publicity, the fact is that all websites which use a log-in page were attacked, WordPress, Joomla, Drupal and even hand-made websites were all hit hard.
At this stage it looks like the worst of the attacks is over, but a lot of experts are predicting that this was just the first wave, and more is to come. It appears as though the primary purpose of this wave of attacks was to find vulnerable websites and infect them with a program called a spybot or botnet, which lets the hackers use the website remotely to infect more websites, so building up a larger network of websites ready for the next stage.
Table of Contents
What is the next stage?
At this stage it is hard to guess, but in our experience there are only two motives for hack attacks like this — either ego, so they can brag to their mates that they hacked x number of websites, or that they hacked yyy website and didn’t get caught.
Or the second motive, good old-fashioned greed — they want to hack into websites so that they can steal money, goods, or information. And that is our guess, that these people are building up a massive network of linked websites so that they can attack a major website to steal something.
So what can we learn from this attack, and how can we protect our websites?
The first thing to say is that even though all of our websites, and our client’s websites, were hit really hard during the attacks (one was even hit sixty-two times in a minute in an obviously targetted attack), not one website was breached in any way, the only damage done was to the speed of websites loading, due to the attackers using up precious bandwidth with their failed attempts. But any viewers probably wouldn’t even have noticed the slight lag in download speeds so this was not a major problem.
The first thing that needs to be done, and something that we have been preaching for years, is to not use the default Username in any of these platforms. By default, when you set up a WordPress website, it uses the Username ‘admin’, and most people tend to leave it at that. By doing that, you are making it twice as easy for the hacker to gain access to your website — he already knows the Username, so all he has to do is to guess the password.
Joomla and Drupal would have similar default Usernames, so this applies to them as well. Never use the default Username, always change it to something completely different, similar to another password. Use a mixture of letters, numbers and special characters, like #, @, &, etc, and make the Username at least eight characters long.
Secondly, always use a password of at least ten or twelve characters, and again, use a mixture of letters, both lower case and upper case, numbers, and special characters. A free program which we heartily recommend is called Last Pass.
It is available for nearly all computers and devices and it can be used for generating secure passwords as well as saving the passwords in a secure, encrypted manner.
Thirdly, if you do have a WordPress website, you should download, activate and configure two free plugins from the WordPress Plugin Depository called Wordfence, and Bulletproof Security. The direct downloads are:
http://downloads.wordpress.org/plugin/wordfence.3.6.7.zip and
http://downloads.wordpress.org/plugin/bulletproof-security.0.48.3.zip
or you can download and install them directly from your WordPress Admin page. Just go to Plugins –> Add New and search for the names, then click on the ‘Install Now’ link.
Both need to be configured for your website, but both are easy enough to configure. If you need any help, contact us and we will send you detailed explanations to install and configure both of them.
What do they do to protect your website?
Wordfence stops brute force attacks like the one we just had, by limiting the number of times the hackers can try to guess your password before it locks them out of your site altogether. You can also configure it to immediately lock out any attempts to use an invalid Username, which is great if you have followed our advice and not used the Username of ‘admin’ because that is the first Username that they will try. It is not so good if you have genuine, but forgetful, members accessing your website, because it will also lock them out, so if that applies to your website, be sure to give your legitimate members an email address so that they can contact you to tell you that they have been locked out. A special Gmail, or Ymail, account is fine for this.
On the other hand, Bulletproof Security works by changing the vulnerable default files and folders on your website, which the more sophisticated hackers use to try to gain access to your website. So together, they will make your website much more secure, especially if you also take our advice and change your Usernames and passwords to more secure ones.
Takeaway
[1] Never use the default Username, always change it to something more secure.
[2] Always make your password hard to guess, at least ten characters long, more is better, and always mix in lower case, upper case, numbers and special characters.
[3] If you have a WordPress based website, install and configure both Wordfence and Bulletproof Security.
[4] Wait for the next wave of hack attacks, knowing that your website is a lot more secure than most! 🙂
[/et_pb_text][et_pb_text admin_label=”Text – Related Posts” _builder_version=”3.11.1″ saved_tabs=”all” global_module=”6525″ link_text_align=”left”]
Related Posts You May be Interested In
WordPress Security: The Ultimate Guide to Secure Your Website in 2018
[/et_pb_text][/et_pb_column][/et_pb_row][/et_pb_section]
- A Happy New Year, And Time For Reflections - 31/12/2021
- WordPress Vulnerabilities Report — September 1st - 02/09/2021
- Another Day, Another Scammer! - 20/01/2021