Thursday, April 18, 2013
How to protect your WordPress from attack?
An continuum attack on WordPress-based websites has compromised more than 90,000 blogs, but there are simple ways to make sure your blog won't be next to fall and be safe from intruders. Brute-force attacks, as their name would suggest, are some of the least sophisticated hacks out there, rapidly cycling through common directory names, passwords and IP addresses in order to access private files through sheer dumb luck. The bad news is that such attacks happen to WordPress blogs tens of thousands of times per day; the good news is that stopping them cold is simplicity itself. An security firm called Sucuri examined the data logs from its own WordPress blog and discovered that between December 2012 and April 2013, hackers had launched almost 5 million brute-force attacks. The attempted hacks used very predictable patterns. To log into protected accounts, the hackers tried five usernames in overwhelming numbers: "admin," "test," "administrator," "Admin" and "root." The 90,000 WordPress blogs that got hacked and roped into joining the attacking botnet generally possessed easy-to-guess usernames or passwords, and their takeovers most likely could have been prevented with some creativity. If you use common usernames or passwords for WordPress login credentials — or for any other information you store on the Web — simply changing them to something uncommon will prevent the vast majority of brute-force attacks. Making them hard-to-guess will render you all but immune. One interesting bit of data that Sucuri gathered involved "common" passwords that didn't appear to be common at all. The attackers made thousands of brute-force attempts with passwords such as "#@F#GBH$R^JNEBSRVWRVW" and "RGA%BT%HBSERGAEEAHAEH." These strings of letters and symbols do not appear to have any kind of pattern, yet are too consistent and repetitive to be truly random. Both the Sucuri experts and the commenters on its blog posting were stumped, and feared that brute-force hackers might know something they don't. Our own efforts to discover the root of these supposedly common passwords came up dry. After breaking down the character strings into a binary code of 1s and 0s, we tried to translate them into other character formats, hoping that the passwords might mean something in non-Latin alphabets. Nothing recognizable came up. Although brute-force attacks are very easy to avoid. If you're going to get hacked, at least make sure that the attacker has to put some effort into it.
Posted by Erjola Nushi at 1:38 PM