Tag Archives: wordpress

Who’s attacking your website?

ImageWith the explosion in web creation tools owning a website is no longer the domain of a select few.  Whether you have an online store, a “business card” site or a fan site for your passion setting up a website can be done by almost anyone with a need and a little patience.

What many people fail to realize is that, just like your home PC, a little care is needed if you are to avoid having your website taken over and either vandalized or used as a springboard for spreading viruses.  After all which of your friends wouldn’t download something from a website they knew you created?

Think people aren’t attacking your site?  A quick look at the sites I have set up showed, without exception, every one of them had logged attempts to log in using brute force password cracking.  I know this because I have software installed on these sites that tracks failed attempts to log in and, if they occur often enough (10 tries in my case) then my site will automatically  block access from those IP addresses with increasingly long lockouts and sends me a note to let me know about it.  Here’s a sample from one of the sites I take care of:

IP Tried to log in as

 

As you can usernames like admin, administrator, root, and variants of the URL (starred out for privacy reasons) have all been tried.  It’s one of the reasons I NEVER use those as either a user id or a password.

Attacks mostly seem to come from the Czech Republic, the Republic of Korea, Ukraine and so on.

Why those places and what are they doing?  Who cares?  The important thing to realize is that even the website you put together as a memorial to your beloved dog can, and will, be attacked.

The site i pulled the lockout information from is only special to the people that use it.  It doesn’t get millions of views, isn’t a political or controversial group, and doesn’t contain any secret information.  In fact everything on the site is public.  So if they are being attacked then it’s a very good bet that your website is too.

So what can you do about it?

Well you can’t stop people attacking you, but you can make life difficult for them by taking some simple steps.

  1. The most obvious, and easiest, thing to do is to make sure that you don’t use any common user names  or passwords.  If your website providers sets up a default user such as Admin when your site is built, change it!  Passwords don’t have to be long and hard to remember – two random words like BlueDriver or NotedMarketer will keep people guessing long enough to make them bored.  If you use Admin and password because they are easy to remember then you deserve what you get.
  2. Install software that can lock out repeated login attempts.  There are many of these around and they are often free.  Install them for some peace of mind and sleep easily knowing that someone isn’t bombarding your website with thousands of login attempts.
  3. Make sure that you keep your website software up to date.  As the HeartBleed bug showed us, no website is foolproof, so make sure that vulnerability are patched regularly.

Those three simple steps alone should keep the vast majority of people at bay.  Sure there are are few highly skilled people out there that could get in if they wanted to, but with so many juicy targets for their talents why would they waste their time on your cooking blog?  Nope…it’s the equivalent of the thug with a brick that we want to stop and the steps above are the equivalent of a spray can full of mace to those guys.

 

Leave a comment

Filed under Computers, Online Security, Web Design

Software upgrades for Computer Whisperer WordPress clients

software-update-iconWhat is happening?

Clients of the Computer Whisperer WordPress hosting websites are updated and maintained regularly.  Usually these upgrades are minor, performed outside of normal business hours and not something that would need notification.

Periodically it is necessary to deploy major upgrades to the core platforms to make sure that your website remains stable and secure.  In this case we will be upgrading PHP from version 5.2 to 5.4 within the next seven days.

What will happen and how does this affect me?

Even major upgrades are not normally problematic and should result in nothing more than a few minutes of downtime for your site.  In almost all cases you will not even be aware that the change has taken place.

Within the next seven days the following actions will be taken on your site:

  • Your site will be fully backed up
  • All plugins will be upgraded to the latest version
  • WordPress will be upgraded to version 3.8 if necessary
  • The PHP version on your site will be upgraded from 5.2 to 5.4
  • After upgrading your site will be tested to make sure that core functionality is performing as expected
  • Email access will not be affected during the upgrade process

What if there are problems?

Since WordPress 3.8 is known to be stable with PHP version 5.4 any problems are most likely caused by plugins.  In the event of a problem we will identify the offending plugin and either work with the plugin developer to resolve the issue or find an alternative plugin that provides the same functionality.

Rest assured that your website is fully backed up using a method that allows for rapid deployment to an alternative host.  In the unlikely event of a major problem we will set up a new host using a legacy version of the software and migrate your site to that host.

If you would like to speak about this please feel free to call the usual number or simply leave a comment below.

Leave a comment

Filed under Computers, Web Design

Make Quick Posts to Your WordPress Blog with Press This | WordPress.tv

Press This is an easy to install bookmarklet that allows you to grab just about anything off of the web (like a text quote, video, or image) and turn it in to a blog post, all without ever touching the dashboard of your WordPress site.

via Make Quick Posts to Your WordPress Blog with Press This | WordPress.tv.

Leave a comment

Filed under Free Software, Technology, Web Design

Hackers attack WordPress ‘Admin’ accounts

ImageOver the past couple of weeks websites using  WordPress have been under fire from a very sophisticated brute force attack involving over 90,000 IP addresses. 

Some hosting providers handled this better than others.  

The best ones experienced  some slowness and minor outages while others simply went down for a couple of days.

While it has subsided the attack is still ongoing so here are a few steps that you should consider taking to help shore up your defenses.

  1. Make sure that your plugins are up to date.  Often plugin updates are released precisely because they have security holes and leaving these unattended for a long time is an open door to hackers.
  2. Don’t use administrator accounts called ‘admin’.  This is akin to using a password of ‘password’.  Some hosting vendors created these by default on installation.  If you have one of these then create another administrator account, log in using that one and delete the ‘admin’ account.
  3. Create strong passwords.  Ideally at least 8 characters and with a mixture of letters, numbers and special characters such as ^%$#&@*.  If you have too many passwords to keep things straight then consider using something like Lastpass.

These three simple steps won’t keep you totally in the clear but, like an alarm on your car, it should move the troublemakers on to an easier target.  

 

Leave a comment

Filed under Free Software, Online Security, Virus, Web Design