Thursday, 18 April 2013
Over the past few days there is an on-going and highly-distributed, global attack on WordPress installations across virtually every web host in existence.
This attack is well organized and again very, very distributed; we have seen over 90,000 IP addresses involved in this attack.
At this moment, we highly recommend you log into any WordPress installation you have and change the password to something that meets the security requirements specified on the WordPress website. These requirements are fairly typical of a secure password: upper and lowercase letters, at least eight characters long, and including ?special? characters (^%$#&@*).
The main force of this attack began last week, then slightly died off, before picking back up again yesterday morning. No one knows when it will end. The symptoms of this attack are a very slow backend on your WordPress site, or an inability to log in. In some instances your site could even intermittently go down for short periods.
We are taking several steps to mitigate this attack throughout our server farm, but in the same breath it is true that in cases like this there is only so much that can actually be done.
The servers most likely will experience service interruptions because of the high numbers of WordPress installations hosted, due to the incredibly high load this attack has been seen to cause.
There are two nice features to disrupt brute force attacks:
1) Set-up a failed login limit: For example if the IP gets the login wrong the plugin adds the IP to your blocked list for a set period of time. In certain cases I have set it to block after 2 wrong attempts and to block for an hour.
2) Change your login path: This feature changes the login path to a custom one so that an attacker cant guess it. ie (mydomain.com/mysecretlogin1234) It updates all the files automatically so you dont have to go editing the .htaccess file yourself.
You can also find some additional resources here:
- Install Limit Logins Plugin and Prevent Brute Force Attacks
- How To Change Your WordPress Admin Username
- Purchase WordPress Security Hardening
Thank you for your time and understanding regarding this matter.
Here at Thexyz we have an automatic migration tool that allows any Yahoo Mail user to move all email quickly and easily to an accoun...
We tested a bunch of FTP clients for iOS devices and found these to be the best. Most of them cost between $1 to $5 but we found the small p...
Please note, the $2.95 promo on the .NET domains will end ahead of schedule at 12pm (EST) on 11th October, 2016 since we only have limited...
In recent months, Touchdown has been purchased by Symantec and the development has been put on hold. It is only iOS devices like an ...
From September 13th to September 16th 2016 our operations team received alerts that our managed DNS servers came under a distributed den...
- ► 2016 (20)
- ► 2015 (34)
- ► 2014 (40)
- ▼ 2013 (41)
- ► 2012 (43)
- ► 2011 (69)
- ► 2010 (52)
- ► 2009 (12)