Attacks on websites, their content management systems and their SQL databases are becoming more pervasive. To me it just seems impossible to be able to fully secure a website anymore. Especially when hackers like those from Anonymous can easily break into a number of local and federal government run web properties and deface them at will.
This past week the web hosting company that I host this blog on was under a major bot net attack that affected numerous CMS’s including Joomla and WordPress.
From 1 & 1 Internet Inc. –
Brute Force attacks on WordPress and Joomla installations:
For several days, we’ve encountered an attack on the installations of different Content Management Systems (CMS) which has affected several hosting providers, including 1&1. Currently, WordPress and Joomla installations are affected.
Through a so-called “brute force attack”, attackers are trying to gain access and install malware on the servers.
We have immediately taken countermeasures; therefore, some customers may encounter a reduced availability of the following services:
– Access to customer websites
– FTP access to webspace
– Administration of content management systems such as WordPress and Joomla
For almost two days last week my website was inaccessible. This was part of the countermeasures that 1 & 1 Internet took to disallow the bot net from hammering away on the admin side of my WordPress blog.
When I took to Twitter I could see that the situation had escalated and the frustration was a bit more widespread.
Later that day the company started tweeting about the attack from their Twitter support account.
— 1&1 Hosting Support (@1and1help) April 12, 2013
Eventually full access to my website was returned to me by 1&1. A day later I saw that WordPress co-founder Matt Mullenwug posted about the brute force attacks. It turns out that this attack was not only hitting 1&1, but several major web hosting companies.
I would highly recommend taking his advice going forward:
Here’s what I would recommend: If you still use “admin” as a username on your blog, change it, use a strong password, if you’re on WP.com turn on two-factor authentication, and of course make sure you’re up-to-date on the latest version of WordPress. Do this and you’ll be ahead of 99% of sites out there and probably never have a problem. Most other advice isn’t great — supposedly this botnet has over 90,000 IP addresses, so an IP limiting or login throttling plugin isn’t going to be great (they could try from a different IP a second for 24 hours).
Hopefully we’ll be able to withstand this bot net storm. The ultimate protection I guess would be to implement username and password authentication through an Apache .htaccess file in your wp-admin directory.