April 13, 2013
A lot of WordPress sites are being attacked at the moment.
Below are some precautionary steps I’ve taken and you might consider doing as well.
I have updated this post as I’ve gotten more information, so things are definitely changing as I find out more…
1. Delete your Admin user(s)
I recommend this step in my post How to Start a Blog, so if you followed that, you may have already done this.
Check for other Users and delete any that are no longer in use, especially any that are assigned the “Administrator” role. To find a complete list of Users go to Dashboard –> Users –> All Users.
2. Change your password. Encourage other Users to change their passwords too.
Choose a password that’s super strong. That means it should be over 8 characters and should include a combination of caps, lowercase, symbols and numbers. Here’s how to change your password in WordPress:
- Login to your Dashboard
- Click “Users” in the left column and then “Your Profile.”
- Scroll down to the “About Yourself” section and enter your new password. Confirm it.
- Click the blue “Update Profile” button to save.
If there are others who regularly use your site, have them change their passwords too.
3. Make sure you are running the most updated version of WordPress
Keeping your plugins updated is a good idea too. You can easily see all the ones that need updating by going to Dashboard –> Plugins –> Installed Plugins. On that page, you will see a box with “There is a new version of [plugin] available…” and an option to upgrade underneath any that need upgrading.
4. Activate CloudFlare
I did this after reading this article. Here’s how to do it:
In Bluehost, login to your cpanel. Click on the “Addons” icon in the top right. Scroll down and click the “CloudFlare” icon at the bottom of the page. Read and accept the terms. There is a free version. As you click through, it might look like you’re going to be charged $14.99, but look for the free version. Look in the middle of your screen for it listed next to your domain. (Thanks to Karen for adding this helpful note in the comments.) Check your site to make sure it comes up as usual. If not, call Bluehost.
5. Install the Limited Login Attempts plugin
Update: (April 14, 12:03am) After reading this post from Matt Mullenweg (the WP dude), I’m moving this suggestion down on the list. He says:
…an IP limiting or login throttling plugin isn’t going to be great (they could try from a different IP a second for 24 hours)
The Limited Login Attempts plugin prevents bots from trying to get into your account multiple times using different computer-generated passwords. After a specified number of login attempt failures (the default is 4), they (or anyone, so make sure you know your password!) will be locked out for a period of time.
After you install and activate the plugin, you can access the settings in Dashboard –> Settings –> Limited Login Attempts. I left the defaults as is, except I changed the “Notify on Lockout” option to email me after 4 attempts (mostly because I’m just curious).
Additional things you can do…
Update: (April 13, 2013, 11:30pm) If you’re more technically inclined and/or want to take a further step, you can password-protect your wp-login.php file. Follow the steps from HostGator here (the same steps should work if your host is Bluehost too).
Update: (April 14, 12:08am) For WordPress.com users: Turn on two-step authentication.
How do you know if you’ve fallen victim to this attack?
HostGator (one of the first to break the news) says this:
The symptoms of this attack are a very slow backend on your WordPress site, or an inability to log in. In some instances your site could even intermittently go down for short periods.
There are no guarantees for 100% protection, of course, but these steps could minimize the risk. Please spread the word!