Secure your Wordpress site - MASSIVE BOTNET ATTACK

[Tom.V]

This is a repost from another forum, from a representative of BeyondHosting.

"As of this week a huge new botnet consisting of over 100,000 compromised servers has began attacking wordpress installs by trying to brute force the login page.

Here are a few key things to prevent you from getting compromised and taken offline.

1. Modify your login username to something secure, not admin1 or weak user. Use a random set of chars if you can or set it to a username that is not easily guessed.
2. Set a secure password on the new user. Utilize password websites such as Strong Password Generator We recommend utilizing a password encryption service such as https://lastpass.com/
3. Make sure you've removed the admin user from your wordpress.
4. Insure wordpress is up to date and all plugins and THEMES are as well.
5. Secure wordpress with .htaccess to block all unknown ips.

.htaccess example.
Code:

<Files wp-login.php> Order Deny,Allow Deny from allAllow from replace-with-your-ip </Files>
If your server becomes heavily loaded with php processes its most likely due to this attack. We are currently receiving almost 1Gbit of traffic solely directed to wordpress sites and submitting password data."

I, like a lot of you, have several WP sites. Protect your site before it is too late! This was posted just a few minutes ago.

 

Dislike ads? Remove them and support the forum: Subscribe to Fastlane Insiders.

[Runum]

One of my sites was unsuccessfully attacked last week. Thanks for posting this.

 

[nerdyworm]

A note on strong passwords.

The only thing that matters is the number of characters in the password which increases Entropy (information theory) - Wikipedia, the free encyclopedia . Basically how many random guesses it would take to come up with your password.

Including *&%^#@!!()* does not help against this kind of attack.

Creating a password like "My black lab's name is cookie monster" is orders or magnitude harder to break than "H*x(a^", plus you can actually remember it.

Relevant XKCD: xkcd: Password Strength

/end geek soapbox


Lastpass does work wonderfully and I recommend it as well. However I still prefer long human speakable passwords over key ring services.

There are also services like WordPress Hosting and Managed WordPress Hosting from WP Engine that charge a premium so that you don't have to worry to much about this sort of attack.

 

[rorschach]

The only thing that matters is the number of characters in the password which increases Entropy (information theory) - Wikipedia, the free encyclopedia . Basically how many random guesses it would take to come up with your password.

Including *&%^#@!!()* does not help against this kind of attack.

Creating a password like "My black lab's name is cookie monster" is orders or magnitude harder to break than "H*x(a^", plus you can actually remember it.

 

Dislike ads? Remove them and support the forum: Subscribe to Fastlane Insiders.

[LightHouse]

Best and easiest is to install Better WP security. It will remove admin user, force passwords etc etc. it also does permanent lockouts from logins and 404s as well as a ton of other stuff. Something i would pay for, is out there for free. I use it almost all my WP sites.

 

[tchandy]

I was getting a lot of unusual subscribers and I wasn't sure so I added a captcha feature which also appears when logging in to WordPress. I also have a limited user login attempts on my site and the next day I received a message someone unsuccessfully tried to get in. Last night I had another attempt. This features blocks people for 24 hours.

 

[LightHouse]

I was getting a lot of unusual subscribers and I wasn't sure so I added a captcha feature which also appears when logging in to WordPress. I also have a limited user login attempts on my site and the next day I received a message someone unsuccessfully tried to get in. Last night I had another attempt. This features blocks people for 24 hours.

If you have this enabled you will notice a lot of these. I in fact turn the notifications off. BetterWPSecurity shows the UN they use... it is almost always "admin" thus why when you install it it removes the admin and user #1 account. I have also seen them try to use the author name in rare occasions, neither should be your login username.

 

Dislike ads? Remove them and support the forum: Subscribe to Fastlane Insiders.