By now, every person running a WordPress site should be aware of the attack on the popular blogging platform.
If you aren’t aware, this particular attack does not exploit any vulnerabilities in WordPress’ code or weak plugins as we have seen in the past. This time, the threat landscape is the user. Criminals, in this attack, scan the Internet looking for WordPress web sites and use a list of common username and password combinations. Those who leave their username as the default “admin” are particularly at risk because the username part of the credential is easily guessed.
Once the attacker has compromised the web site a backdoor is created so even if the site’s owner gets wise, changing the username and password won’t keep the bad guys out. The site now joins the botnet that attacked it in the first place launching the same password guessing attack against other sites.
Cleaning up the mess
If you know that you site has not been compromised, now is a perfect time to change your WordPress username if you are still using admin. Don’t make it another easily guessed username, make sure it is something unique so that brute force techniques won’t be able to easily guess it. As a matter of fact, go ahead and do that now, we can wait to pick up the rest…
Once you have changed your username, it might be wise to change your password as well. Most likely, you have heard of complex passwords and you may even have used them. A combination of uppercase letters, lowercase letters, numbers and symbols does make it nearly impossible for a brute force password cracker to guess your credentials. The problem is, these passwords are often hard to remember. If you find yourself having to write down your passwords, or if you have to reset them on a frequent basis, you might want to try a passphrase. Something like [email protected]! accomplishes the same thing but is a bit easier to remember. In addition to being complicated, your passwords should be diverse. You should never use the same password for your WordPress account as you do for your bank account, or eBay.
If an attacker gets this password, he or she may just try it on all your accounts.
If you have been compromised
If it too late and you suspect that your WordPress site has been compromised you are going to have to block the botnet’s ability to control your site, clean your web site of any malware, clean your computer of any malware and then change your user credentials (it may be wise to change all of your passwords, especially if you find malware on your computer).
To restrict wp-admin access from any computer, except your own, you will need to create an .htaccess file in your wp-admin folder. The file should contain the lines:
order deny, allow deny from all allow from xxx.xxx.xxx.xxx
Substitute your IP address for the xxx in the example. If you wish to add more IP addresses, simply create another allow from line in the file and include that IP address.
With this done, you can block access to wp-admin but if there is anything else in on your server that is allowing backdoor access, you will have to scan for that. Using a plugin like Sucuri, which requires a yearly subscription, or WP Security Scan, which is free, you can check your blog for malicious files and actively protect your site against them. Once you have installed and run one of these plugins, and after you have found any malware, make sure to run a backup of your site since any prior backups may be infected. More on WordPress security plugins.
Once you are sure that your web site and your computer are malware free go ahead and change your passwords. The reason behind waiting until after a malware scan is that if there are any keystroke loggers present they will send your new credentials back to the hacker who placed them there giving them your new password.
Featured Image from IWDRM