A WordPress Attack You Should Know About (and how to protect yourself)
Earlier this month reports began to surface that a large-scale attack was executed against WordPress sites (along with some other popular PHP applications) hosted on shared servers across a number of hosting providers. It’s apparently unclear on what the actual vulnerability was–whether it was as a brute force password attack, a bug in a particular version of WordPress or plugin, or stolen passwords–but whatever the entry point, the attackers were able to inject malware onto pages with the intention of infecting the computers of anyone who visited the blog.
While we haven’t received any reports or found any sites at Newtek that have been affected by this attack, it’s always a good idea be aware of these emerging issues. For more information, take a look a the Sucuri Security Labs blog, as well as their quick clean-up solution if you discover that your site has been affected. You can also find some additional information about the issue on WPSecurityLock’s website.
Protect Your Blog
As WordPress continues to gain popularity, it will remain a juicy target for attackers looking to exploit any new vulnerabilities. As such, it’s pretty important that you take the necessary steps to keep your blog secure.
- Always, always keeping your version of WordPress up to date.
- Always keeping your widgets and plugins up to date.
- Always keeping your WordPress framework and/or theme up to date.
- Having a ridiculously strong FTP password.
- Having a ridiculously strong login password for all of your users.
- Never, ever using the default “admin” username (delete it altogether).
- Always keeping the anti-virus, malware, and spyware detection software up to date on your local computer (so attackers can’t steal your login information from your home or work computer).
Also, you may want to take a look at some plugins that can help you keep your blog secure (just be sure to keep the plugins up to date if you use them!). For example, Limit Login Attempts blocks an internet address from trying to login after a certain number of attempts have been reached.
How to Update Your WordPress Installation
As I mentioned above, keeping your version of WordPress up to date is increasing important, and it’s probably the single most important step you can make in keeping your site secure from broad attacks, which often stem from vulnerabilities exploited in older versions of the software.
Fortunately, for all of us, WordPress makes it relatively easy to keep your software current.
Here’s our quick guide on how to do it:
1. Check that your hosting plan meets the minimum installation requirements. If you’re currently hosting your WordPress site at Newtek, your plan already meets these requirements.
3. Back up your site files, too. You can do this quickly by downloading them locally with your preferred FTP client, then zipping them up for easy storage.
*Note that while Newtek already makes nightly backups of your files, the above steps are convenient (and free) ways to gain an immediate snapshot of your database and site.
4. WordPress also recommends that you disable your plugins before doing the update, although this step isn’t required (but you could avoid any potential issues with certain plugins by doing so).
5. If your current version of WordPress is 2.7 or higher, you can use the built-in Automatic Update feature. NOTE that if you’ve customized or made any modification to the default or classic themes without renaming them, you SHOULD NOT use the automatic upgrade option. Those changes will be overwritten.
6. If your version of WordPress is older than 2.7, or if your automatic upgrade attempt fails, you can also do a manual update.
So what steps do you take to keep your WordPress installation secure? If we missed anything, please let us know in the comments below.