We received the following from one of our providers.
As I write this post, there is an on going and highly distributed, global attack on wordpress installations to crack open admin accounts and inject various malicious scripts.
To give you a little history, we recently heard from a major law enforcement agency about a massive attack on US financial institutions originating from our servers.
We did a detailed analysis of the attack pattern and found out that most of the attack was originating from CMSs (mostly wordpress). Further analysis revealed that the admin accounts had been compromised (in one form or the other) and malicious scripts were uploaded into the directories.
Today, this attack is happening at a global level and wordpress instances across hosting providers are being targeted. Since the attack is highly distributed in nature (most of the IP’s used are spoofed), it is making it difficult for us to block all malicious data.
To ensure that your websites are secure and safeguarded from this attack, we recommend the following steps:
- Update and upgrade your wordpress installation and all installed plugins
- Ensure that your admin password is secure and preferably randomly generated
These additional steps can be taken to further secure wordpress websites:
- Disable DROP command for the DB_USER .This is never commonly needed for any purpose in a wordpress setup
- Remove README and license files (important) since this exposes version information
- Move wp-config.php to one directory level up, and change its permission to 400
- Prevent world reading of the htaccess file
- Restrict access to wp-admin only to specific IPs
- These plugins will help – wp-security-scan, wordpress-firewall, ms-user-management, wp-maintenance-mode, ultimate-security-scanner, and wordfence.
You should also check the WP Security Package which is very comprehensive
Security in WordPress is taken very seriously, but as with any other system there are potential security issues that may arise if some basic security precautions aren’t taken. This article will go through some common forms of vulnerabilities, and the things you can do to help keep your WordPress installation secure.
This article is not the ultimate quick fix to your security concerns. If you have specific security concerns or doubts, you should discuss them with people whom you trust to have sufficient knowledge of computer security and WordPress.
What is Security?
Fundamentally, security is not about perfectly secure systems. Such a thing might well be impractical, or impossible to find and/or maintain. A secure server protects the privacy, integrity, and availability of the resources under the server administrator’s control.
Qualities of a trusted web host might include:
- Readily discuss your security concerns and which security features and processes they offer with their hosting.
- Makes the most recent stable versions of server software available.
- Provides reliable methods for backup and recovery.
- Decide which security you need on your server by determining the software and data that needs to be secured. The rest of this guide will help you with this.
Security Themes
Keep in mind some general ideas while considering security for each aspect of your system:
Limiting access
Making smart choices that reduce possible entry points available to a malicious person.
Preparation and knowledge
Keeping backups and knowing the state of your WordPress installation at regular intervals. Having a plan to backup and recover your installation in the case of catastrophe can help you get back online faster in the case of a problem.
Vulnerabilities on Your Computer
Make sure your home or office computers are free of spyware, malware, and virus infections. No amount of security in WordPress or on your web server will make the slightest difference if there is a keylogger on your computer.
Always keep your operating system and the software on it, especially your web browser, up to date to protect you from security vulnerabilities.
Vulnerabilities in WordPress
Like many modern software packages, WordPress is updated regularly to address new security issues that may arise. Improving software security is always an ongoing concern, and to that end you should always keep up to date with the latest version of WordPress. Older versions of WordPress are not maintained with security updates.