Global WordPress Attack! What you can do to prevent your website getting hacked.

Brute force attacks on WordPress websites continues!

Details here http://thenextweb.com/insider/2013/04/13/brute-force-attacks-on-wordpress-continue-as-cloudflare-fends-off-60m-requests-in-1-hour/

Harden up your website NOW so you don’t get infected.

Here’s some advice…wordpress hacked

There is a lot you can do to harden your WordPress website’s security and reduce server load in general such as having a good .htaccess file and robots.txt

Specific to this attack I recommend you create a new administrator account with a strong username and very strong password then delete the default admin user account.

If your sites have been disabled by your hosting provider, best thing you can do firstly is sign up for a free account with CloudFlare https://www.cloudflare.com and follow the wizard. You can add multiple sites for free. You will have to change your DNS nameservers to the CloudFlare server names. This will make your websites more secure from such attaches and make them much faster!

Once you have done this, submit or update your ticket in your host’s control panel telling them what you have done and ask then nicely to re-enable your websites. They will re-enable your sites for 48 hours and then review your CPU usage – hopefully your problems will be solved. To ensure they are, read on…

Then, you can login to the WordPress backend and harden your user accounts (strong passwords) and add some security plugins such as “limit login attempts”. Also make sure that all everything is updated.

You should also look at “hardening up” your .htaccess and robots.txt – ask me if you need any help with that :)

Hey, no guarantees here, but this is what works for me.   I think it’s a good start.

An example of a reasonable robots.txt for your WordPress should look something like the following (please correct the paths to suit your installation)…

User-agent: *
Crawl-delay: 10
Allow: /wordpress/wp-content/uploads/
Disallow: /tmp/
Disallow: /webalizer/
Disallow: /awstats/
Disallow: /cp/
Disallow: /images/
Disallow: /cgi-bin/
Disallow: /wordpress/wp-login.php
Disallow: /wordpress/wp-login.php?*
Disallow: /wordpress/wp-register.php
Disallow: /wordpress/wp-register.php?*
Disallow: /wordpress/xmlrpc.php
Disallow: /template.html
Disallow: /wordpress/wp-admin/
Disallow: /wordpress/wp-includes/
Disallow: /wordpress/wp-content/plugins
Disallow: /wordpress/wp-content/themes
Disallow: /page/
Sitemap: http://way_to_file.sitemap.xml
Sitemap: http://way_to_file.sitemap.xml.gz

…Now, having a robots.txt is a good idea and all good bots will read it and follow the rules, however not all bots are good. There is nothing to prevent bad bots from ignoring your robots.txt file and doing whatever they like.

Every man and his dog are gonna have an opinion on why I’m right or wrong and have their own solutions. Well, do your own research, don’t believe what I say.  Feel free to provide constructive advice in the comments.

‘Harden up’ your CMS now or clean up later ;-)

Cheers,
John

This entry was posted in Uncategorized. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *