wordpress – Fightback Ninja Blog

Dan Moen carried out a survey in 2016 of people who have WordPress websites that have been attacked, seeking to understand why and how the attacks were being made. 1,032 people responded to the survey.

The most telling statistic is that 61% of respondents didn’t know how the attacker compromised their website.

This is of concern as if you don’t know how the attack was made it is difficult to be sure you have blocked a repeat.

For the site owners who did figure out how the attackers entered, there are two main fidnings:-

Plugins Are A Big Risk

Plugins play a big part in making WordPress very popular and very useful and there are tens of thousands of plugins available for WordPress. But you obviously need to be careful with them, as plugin vulnerabilities represented 56% of the known entry points reported by respondents.

Brute Force Attacks Are A Big Problem

A brute force attack is a password guessing attack. The attacker needs to both identify a valid username on your website and then guess the password for that username. This type of attack is a huge problem, representing 16% of known entry points.

How to Protect Your WordPress Site

Don’t Use Obvious Usernames

Every WordPress site has an administrator login and this should be renamed as administrator or admin are too easy to guess and the most used in brute force attacks.

Make the login something impossible to guess and not used elsewhere on the site.

Add Security Plugins

e.g. WordFence, Jetpack etc. which typically use these kind of features:-

Enforce strong passwords
Lock users out after a defined number of login failures
Lock out users after a number of forgot password attempts
Lock out invalid usernames

Keep Plugins updated

Reputable plugin creators fix any vulnerabilities quickly when discovered. By keeping them up to date you insure that you benefit from fixes before attackers can exploit them. Check for updates at least weekly if your WordPress website does not do this automatically.

Only download plugins from reputable sites

If you are going to download plugins somewhere other than the official WordPress repository, you need to make sure the website is reputable. One of the easiest ways for attackers to compromise your website is to trick you into loading malware yourself. An attacker will do this by setting up a website that looks legitimate and getting you to download a compromised plugin.

Keep your WordPress website safe.

If your website has been attacked – let me know the details and the outcome by email.

The Fightback Ninja blog uses standard WordPress technology for the creation and management of the blog online.

WordPress is very good and free to use and there are many thousands of templates and addons available, so you can use it to create a wide variety of blogs, websites and more.

However, the fact that it is so well known also makes all WordPress installations a target for scammers and spammers.

Attack type 1 – the attackers try to access specific files that normally exist in WordPress installations, with the intention of amending those files to give themselves scammers complete access.

Counter action: I had installed iThemes addon for WordPress and it gives a good level of protection against the common sorts of attacks. It blocked access and will lockout any IP address or login that tries constantly to access specific files.

Attack type 2 – password guessing

All WordPress installations have an admin login with the ability to create new logins and do anything on the installation.

Counter action: After nearly 10,000 attempts to crack the password, they gave up. Good job I had picked one that cannot be guessed.

Attack type 3 – comment spamming

This is not directly an attack but is simply morons trying to post entries (full of links) on the comments of the blog. This is usually to increase the ranking of some website by having as many backlinks as possible.

Counter Action: I had Installed a spam comment blocking addon called Akismet. This puts all comments in a holding area till I chose to approve them or delete them. So far nearly one hundred such spam comments have been blocked. The sort of comment they typically try to post is anodyne e.g. “Good writing but have you checked out this list of good links?” This is just rubbish to be deleted. As their attempted posts never appear on the blog – they give up for a while then try again.

Also, Google ignores post comments where the post is less than 3 months old so these comment spammers always go for old posts.

If you allow these comments onto your blog then you will be inundated with more as they are produced automatically.

Attack type 4 – A deluge of comment spam

Counter attack: I had to install an addon that let me turn off the comment facility completely for a while.

It is a nuisance that all WordPress sites get attacked in these ways, especially the popular ones. But the right precautions make it difficult for the scammers to cause any damage.

No doubt, the morons, scammers and spammers will continue attacks at some time but hopefully will never succeed.

If you have any experiences like this or with scammers do let me know, by email.