WordPress security has been uppermost in most users’ minds these days and with good reason. As you all should be aware, there was a concentrated attack on WordPress sites a couple of weeks ago by a botnet (network of robot computers). See this article and this article for details if you’re new to this blog.
Brute Force Attacks
The attack was what’s known as a brute force cracking attempt which means the attackers tried a series of username and password combinations to try to gain access to any WordPress sites they found. The term “brute force” simply means there’s no sophistication involved. They just try as many different combinations of username and password as they’re allowed to until they either give up or get in.
This is a big reason why I install the Wordfence plugin on all my and my clients’ sites. Wordfence provides a means of limiting the number of login attempts before locking the attacker out completely for a specified period of time.
Fortunately, the attacks were fairly limited in that the list of usernames included only those commonly used such as “admin”, “admin123” and similar. There was also a list of passwords used with those user names. That list included commonly used passwords such as “Password”, “123456”, etc. In short, as long as your site didn’t use “admin” or one of the other common usernames in combination with any of the passwords on the list, you had little to worry about aside from possible degradation of your web host’s servers due to the volume of hits on it.
So, The Attack Is Over, Right?
Actually, the attack represents an escalation of attacks that have been going on constantly for years. If any of you are monitoring your Wordfence alerts, you’ll have seen a number of alerts on a regular basis for locked out login attempts. Most of these attempts come from the same group of URLs to the point where I’ve been referring to them as “the regulars”. When the escalation began, I started seeing lots of new URLs so it was apparent that something was up.
It would appear that the attacks have abated to some degree, although I’m still seeing a larger than usual number of attempts on some sites. The reason for the drop-off is probably more due to web hosts improving their screening techniques than fewer numbers of attempts. In short, no, it’s not over and it never will be. There will always be bad guys out there trying to break in to WordPress sites just as there are bad guys who try to break in to any place that is restricted in any way.
A New Wave of Activity
In 1992, Hurricane Andrew tore through Miami, Florida. The hurricane’s path was not extremely wide, but many of those in its path suffered severe damage. My parents’ house happened to be in the path of Andrew, but fortunately, the house sustained only minor damage. Their landscaping took the brunt of the storm. My brother and I spent a week chainsawing trees and hauling the remains out to the huge pile that developed at the curb.
So, what does this have to do with WordPress security? Immediately after the storm was over, Miami was descended upon by human locusts looking to capitalize on the misery of the storm victims and those who had escaped serious damage but were understandably concerned about the next one. Similarly, the Internet marketing crowd has unleashed a barrage of plugins, ebooks, webinars and other tools aimed at gullible WordPress site owners and promising to secure WordPress tighter than Fort Knox.
Yeah, right. Where were these resources before the “storm”? Most of them were probably written in a couple of days and deliver well short of their promises. It’s no great trick to crank out a WordPress plugin and a sales page, or to conduct an interview with a so-called expert. There are certain best practices that are well known and most of these tools probably cover pretty much the same things that people should have been doing for years and are relatively easy to do manually for free rather than buying a plugin, ebook or whatever.
As usual following an event like this, buyer beware. For best practices, you can go to WordPress.org and look up “security hardening” to get a list of the things you should be doing on your site to keep it safe. Also, there is no plugin that will magically secure your site from all possible threats. We use Wordfence because it’s the best single plugin we’ve found, but there are things it doesn’t do.
What Are We Doing About It?
Funny you should ask. 🙂 I have recently purchased a developer license for a plugin that performs a series of checks to determine how secure a site is. While Wordfence scans for malware on a daily basis and limits login attempts, among other things, this new plugin is more passive and fills in a few gaps. It serves as a security checklist verifying that best practices have been followed, but also provides a few tweaks to keep themes and plugins from divulging more information than necessary to the outside world.
One interesting feature is the optional addition of an additional field to the login screen. This field, unlike the ubiquitous and obnoxious Captcha, simply requires the person logging in to solve a simple math problem such as “How much is 2+2?”. This is sufficient to deter automated login attempts which are the primary concern from a security standpoint. Not too many humans have the patience nor the stamina to try thousands of combinations of usernames and passwords!
I will be installing this plugin on all Website Management Program client sites over the next week or two. If you would like this additional security check enabled on your account, please let me know and I will gladly do so.
Those of you not on the Website Management Program may also have this plugin installed and your site security checked. The security hardening process takes about a half hour at my standard rate.
Caching Plugins Patched
Another recent cause for concern was the revelation that W3 Total Cache and WP Super Cache, the two most popular caching plugins for WordPress, were discovered to have the same serious security flaw. The primary concern was that this flaw had apparently existed for quite some time and was only recently found and posted by someone to the WordPress support forum. With over 6 million downloads between the two of them, there is a good possibility that many sites using these plugins have been compromised.
The plugins have been patched and updates released to close the security loophole. My clients’ sites have all been updated. If you are running either of these plugins, be sure they are updated immediately if you haven’t done so already.
I’ve actually been deactivating and in many cases removing these plugins from client sites as there are potential issues with automatic backups as well as at least one shopping cart plugin that I use a lot. Caching is helpful on sites with a lot of traffic, but I have not seen much benefit, if any, on sites I maintain. I’ve concluded that the problems they cause outweigh any benefits they’re providing.
As an aside, when deactivating plugins, if you don’t intend to use them delete them from your site. Deactivated plugins can be just as dangerous as activated ones if they have known security flaws.
Heads Up for WordPress 3.6
WordPress’ next version, 3.6, is currently in beta release. It had been scheduled to be released today, but has apparently been pushed back a bit. As usual, we will not be upgrading immediately when it is released. As those who have been with me a while know, I always wait for the first patch release which typically happens 2-3 weeks after the initial release. Inevitably, there are bug fixes and more importantly security fixes to the new release which are addressed in the patch. Therefore, don’t expect to see your site upgraded until 3.6.1 is available.
That said, if anyone wants 3.6 when it’s available just let me know and I’ll be happy to install it for you. I understand that sometimes there are features that are needed right now. I don’t know that there are any such features in 3.6, however. I will be covering the new features in more depth a bit later on.