A Few WordPress Warnings
01 May 2013WordPress (which powers this here blog you're reading) has been in the news a good bit lately, but not for positive reasons. There was a massive, widespread attack on almost any site running WordPress that aimed to exploit sites to use them to attack more sites and make the botnet even larger. A week or so later, an exploit was announced in two of the most common caching utilities (including one I've recommended) that would allow an attacker to potentially get access to your web server.
At work, we spent a few days fighting the first attack, which was seriously massive. The attack simply hammers your WordPress login, looping through different passwords trying to login with the user "admin". The easiest way to ensure that you're safely protected from this attack (and many future attacks) is to do two very simple things:
- Don't use admin as your username
- Don't use an easy password
Simple, right? WordPress, these days, doesn't default to the admin user. But in the old days, it did. If you login to your WordPress with admin, go into your WordPress Dashboard, go to Users, add a new user, make it an admin. Then delete your "admin" user, which will prompt WordPress to say "do you want to move the posts for 'admin' to another user?". Yes, you want to do that. Move the posts, and now you've got a new user who can do what your old "admin" user could do, but you've minorly increased your security.
And don't use a stupid simple password. The safest thing would be to use a series of words, like "super ugly car fart". Easy to remember, hard to crack. At a minimum, use a non-dictionary string with some numbers and punctuation.
If you want to take it a step further, you could install a plugin like Simple Login Lockdown, which will block IPs that try to brute force your login. It's not a great solution (a distributed attack would never get blocked), but it'll block the simple stuff.
The solution to the exploited caching plugins is pretty easy: keep your plugins up-to-date! If you have WordPress and you don't login weekly to see if there are plugins in need of being updated, you should turn off your WordPress site. If you're not updating more than a couple of times a month, you would likely be served better with a static site, or at least with a site hosted by someone else (Wordpress.com, Weebly, Wix, etc.) where they can worry about your security.
Or, even simpler: just don't use plugins. Use the default WordPress setup, and turn on "auto upgrade" if your host offers that option. There are few plugins worth the hassle. (I use Jetpack -- which is built by the folks who make WordPress, a Google Analytics plugin, the aforementioned W3TC and Simple Login Lockdown, and a Quick Login plugin.)
I know enough about WordPress to help out if you get in a pinch. If you're one of the 40 people who will read this far down, and you have questions, feel free to comment, tweet, or email me, and I'll try to help.