Reports are making the rounds of an automated, highly distributed attack on Wordpress installations across the globe. From all indications, the attack is (very) well organized and completely distributed; over 90,000 IP addresses are reportedly involved in this attack so far. This week we've had several reports of compromised Wordpress Web sites hosted with us. Further analysis revealed that the admin accounts had been compromised and malicious scripts were uploaded into the directories. This attack is happening at a global level and Wordpress instances with all Web hosting providers in the world are being targeted. Furthermore, the attack is highly distributed in nature (most of the IPs used are spoofed), which makes it very difficult to block all malicious data. The symptoms of this attack are a very slow back-end on your WordPress site, or an inability to log in. In some instances your site could even intermittently go down for short periods. To ensure that your Web sites are secure and safeguarded from this attack, we recommend the following steps: Update and upgrade your wordpress installation and all installed plugins. Scan any PC that is used to access your hosting account with multiple antivirus and malware scanners before attempting to log in. Install the security plugin listed here Ensure that your admin password is secure and preferably randomly generated. You should change your password to something that meets the security requirements specified on the WordPress Web site. These requirements are fairly typical of a secure password: upper and lowercase letters, at least eight characters long, and including “special” characters (^%$#&@*). Follow these recommendations for Hardening your WordPress installation http://codex.wordpress.org/Hardening_WordPress Additional steps to further secure your Wordpress Web sites: Disable DROP command for the DB_USER .This is never commonly needed for any purpose in a Wordpress setup Remove README and license files (important) since this exposes version information Move wp-config.php one directory level up, and change its permission to 400 Prevent public access to the .htaccess file Restrict access to wp-admin only to specific IPs A few more plugins – wp-security-scan, wordpress-firewall, ms-user-management, wp-maintenance-mode, ultimate-security-scanner, wordfence,http://wordpress.org/extend/plugins/better-wp-security/. While it is nearly impractical to find and/or maintain a perfectly secure system, it is essential that adequate steps be taken to protect the confidentiality, integrity, and availability of resources under your control.
