This is a significant message for anyone using WordPress as either a blog, or as website vehicle: For your sake — indeed, for everyone’s sake — it’s essential to tighten the security of your site now. The following article came to my desk today, and I felt it significant enough to post this article.
For those who don’t know, WordPress is probably the premier blogging software, offered commonly with domain names and hosting services. Moreover, in the past several years, they have moved beyond blogging into some of the most significant website-creation themes as well. DonChinnici.com is, in fact, such a WordPress site. WordPress however, perhaps in part because of its popularity, has long been criticized as being security-vulnerable. Well, for most, this is not an issue, as some of these sites hold nothing more than recipes and you-name-it slice of life entries of the author.
However, it is NO LONGER acceptable for any WordPress site to not secure their site. As you may read in the below article, the danger is no longer for what they get off of your site; it’s what they are now putting on your site: small bits of code to turn your site into a “drone soldier” in denial of service attacks on some of the very infrastructure of our country, such as banks, other organizations, etc. If I’m going over your head here, forgive me; in short, if someone maliciously decides that they want to shut down the function of a website: Bank of America, or Amazon, or anything Federal government, they do this through multiplied machines requesting information from that site. Well, they do this, oftentimes very unwittingly, from your own computer. This is one of the latest variants in virus related problems:
Global Attack on WordPress Sites
April 12, 2013 | Posted by: Ankita Wadhwa
As I write this post, there is an on going and highly distributed, global attack on wordpress installations to crack open admin accounts and inject various malicious scripts.
To give you a little history, we recently heard from a major law enforcement agency about a massive attack on US financial institutions originating from our servers.
We did a detailed analysis of the attack pattern and found out that most of the attack was originating from CMSs (mostly wordpress). Further analysis revealed that the admin accounts had been compromised (in one form or the other) and malicious scripts were uploaded into the directories.
Today, this attack is happening at a global level and wordpress instances across hosting providers are being targeted. Since the attack is highly distributed in nature (most of the IP’s used are spoofed), it is making it difficult for us to block all malicious data.
To ensure that your customers’ websites are secure and safeguarded from this attack, we recommend the following steps:
- Update and upgrade your wordpress installation and all installed plugins
- Install the security plugin listed here
- Ensure that your admin password is secure and preferably randomly generated
- Other ways of Hardening a WordPress installation are shared at http://codex.wordpress.org/Hardening_WordPress
[This below section is a little more technical, and I leave it for those who really need to harden their sites — or to pass on to your IT technical advisor. –Don]
These additional steps can be taken to further secure wordpress websites:
- Disable DROP command for the DB_USER .This is never commonly needed for any purpose in a wordpress setup
- Remove README and license files (important) since this exposes version information
- Move wp-config.php to one directory level up, and change its permission to 400
- Prevent world reading of the htaccess file
- Restrict access to wp-admin only to specific IPs
- A few more plugins – wp-security-scan, wordpress-firewall, ms-user-management, wp-maintenance-mode, ultimate-security-scanner, wordfence, http://wordpress.org/extend/plugins/better-wp-security/. These may help in several occasions