April 2013 “Brute Force” Attack on WordPress Blogs
Last week, along with 90,000 other sites, my site received a file that was flagged as Malware. What the hackers are trying to do is get into sites that kept the login name “admin”.
I had been warned numerous times to change my login from “admin” to some other name, but I figured if I had some crazy, funky, long password hackers would never get into my site. Well, I was wrong, sort of.
They were not able to get in but they did place a file within my site that somehow tries many different passwords until it does breach.
What Did I Do?
First, I became very scared. I felt lost. I felt I was going to loose my blog and my business, I did not want to start over.
I don’t know anything about certain files that are kept with my site. All Google was telling me was that I had been infected with Malware. While researching, I couldn’t even figure out what that was. The term Malware is actually vague and can mean numerous things.
Second, I started to do a ton of research. I needed sites that told me in plain English what was going on but even more importantly, how to fix it. Google Webmaster Tools started me off on the right foot but I needed more.
I called upon my 14 year old son who has more of a clue that I do about coding and file types. He was very helpful in finding the file that was inserted and deleted it.
He also advised me to have a crazy, I mean CRAZY password for my site. Something like:
&GjN+dOG&45toBE!!:F
That crazy. (No, that is not my password, I simply used the whole keyboard to make one up.)
Now, if you don’t live with or have access to the geek world I do, here are some great links and strategies that can help you not only protect your site, but your logins for your bank, email, important sites, house, car, business, and property.
Protect Your Site, Blog and any Online Activity
1. Don’t use “admin” or any default login.
If you are like me and never changed it, you can go to: http://www.digitalkonline.com/blog/change-your-wordpress-admin-username/ and they will walk you through the steps. You will notice now that all my old comments are generic, that will happen because my old login does not exist anymore.
Also, do not use the same words for your login as your author name. It is too easy for hackers to figure out the connection between the two.
2. Backup your site completely and often.
I back mine up about every month, but I am thinking maybe it needs to be done on a weekly basis.
Blogelina has a great tutorial on how to backup your whole site from your cPanel when you log in to your host site.
How to Backup Using your cPanel
3. Create a crazy password.
Make it not only hard for a human to figure out but more importantly a computer. Go beyond what the pros suggest. Think about it, the pros suggest 8 characters, don’t you think the hackers are going to start with that pattern knowing millions of people have been told to do that?
Here is one link that helps you pick a great password. There are many, simply search “create strong password” and you will find many helpful sites.
4. Have a Google Webmaster Tools account.
This is how I actually found out that I had Malware. Google notified me that something was up.
https://www.google.com/webmasters/tools/
5. Be VERY picky about who comments and registers as a user of your site.
Spam commenters have created some havoc on my site in the past. The link juice that I was giving them caused my site to lose rank with Google. Basically, Google thought I was supporting crap sites and punished me. After that I became more strict with spam comments. But, we can’t stop them all.
If a comment, person, link, or site just looks a little weird don’t allow it to come through as a comment.
I use GASP AND Akismet on my site. I want to be sure I am covered.
6. Always check the reputation of a plugin.
How to Check the Reputation of a Plugin
You never know when a plugin will be carrying a bug, virus or cootie.
I did not cover everything.
I highly suggest you head to the following sites to find out more on protecting your site and property against theft and corruption.
How to Protect Yourself from Losing Your Data Social Media Examiner
Great podcast I just listened to recently. Michael Stelzner, the owner of SME, had his business location broken into. He lost his computer to theft but not his data or his mind because he took precautions to protect his stuff.
Keep Your Blog Secure Blogelina
Very helpful and informative series on how to keep your blog safe. She has very simple and comprehensive information I believe you should follow.
Please Tell Me That is IT
I know, there are too many steps and things to do but I am pretty sure if you follow the advice and tactics I show you here it will be very hard for anyone to take advantage of your stuff.
And if something bad does happen you will be prepared to handle it.
Even more reading material…
(Just in case you are like me and need to make sure you covered all the nooks and crannies.)
http://mashable.com/2013/04/18/protect-wordpress-from-attack/