When you’re the most popular system out there, you’re bound to be singled out and attacked by jealous rivals. Just look at Microsoft and Google. The jealous underdog, Microsoft, even launched a Scroogled campaign in an attempt to undermine their arch nemesis, Google, the clear favorite.
Hackers Seek Out WordPress Sites to Build Zombie Army
WordPress is an obvious target by web-surfing culprits, with over 65 million users around the world. The crime campaign of recent brute force attacks against WordPress sites is a sign that a jealous rival has resorted to subterfuge.
The password-guessing nature of these attacks means the perpetrators are scanning the Internet for WordPress installations and attempting to log in using a list of over 1,000 password and username combinations, infecting over 90,000 IP addresses in its recent campaign.
“The attacker is using a relatively weak botnet of home PCs in order to build a much larger botnet of beefy servers in preparation for a future attack,” Cloudflare CEO Matthew Prince wrote in his blog post.
In other words, they are trying to build an army of zombies for future use in a cyber attack.
3 Things To Do Now
As a WordPress site owner, this means taking preventive action against becoming infected with a zombie-building virus. Take the advice of WordPress creator, Matt Mullenweg, and make three strategic moves to prevent hack of your WordPress site.
1. Change your password
There are several ways to change your password. The easiest way is to go to your WordPress dashboard and click on “Users” in your toolbar. Next, click on “Your Profile” and scroll down to the About Yourself section and enter in your new password.
You can also access your profile by hovering over your name in the top right corner and clicking on “Edit My Profile.”
The password strength indicator will tell you when you’ve found a strong password. Check out WordPress tips to selecting a strong password, which includes what not to do when choosing a password.
2. If your username is “admin,” or a suspect on the hacker list, change that too.
Most of you probably chose something other than “admin” when creating your profile. However, if you have “admin” or a common variant (i.e., adm, admin1, administrator, manager, qwerty, root, test, support, user), change it immediately.
If your username is the name you commonly use on your blog or website, changing it is advised. Remember, changing your username is half of your site security.
Here’s the list of the username/passwords that the hackers used in the recent brute force attack. Nothing like a glimpse into the mind of a cyber criminal, if this does indeed offer one.
For a simple step-by-step to changing your username, go here.
3. Keep your WordPress site and all plugins updated.
You know that little number that pops up next to the plugins on your dashboard? That’s the number of plugins that needs updating at any given time.
Before updating a plugin, check to see that the new version is compatible with your theme by clicking on “View version details.” Then update one plugin at a time, checking on a separate tab to see that your website is still functioning with the reload button.
Doing a website backup is another wise step before updating plugins.
If this sounds neurotic to you, then you haven’t experienced website failure from plugin conflict. If your site does go down, you’ll need to deactivate the plugin. If you can’t access your site to do this, you’ll need to go through your FTP (File Transfer Protocol).
Regular plugin updates are very important in keeping malware and hackers from finding a weak link in your site. Out-of-date and old plugins have been updated for a reason, and hanging onto them is an invitation for hackers to wrangle their way in.
If you are a Web Savvy client, call us, or call your Web hosting company to help you.
If your WordPress site has already been hacked, check with your hosting provider.
Flickr photo from Gabriel GM