Security

The Largest Hacking Attempt in the History of Internet

An unusually powerful  online attack, using more than 90,000 IP addresses , is currently ongoing  against WordPress blogs with weak admin credentials.  Targeted at vulnerable WordPress users who still use the default “admin” username,  this brute force dictionary-based  password-guessing attack  is trying thousands of passwords to crack their administrative credentials .

Now password-guessing attacks of this sort happen all the time, right? What’s all the fuss about? Analysts are speculating that this attempt is just a warm up for a much  wider and larger attack that is to come. How?  The avalanche effect.

Sites which are broken into (and thousands have been), will be seeded with a backdoor which will give access to the  attackers to control the site remotely.  These sites will then be used just like 90,000 IP addresses mentioned above and conscripted into the attacking server botnet, thus forced to launch password-guessing attacks against other sites running WordPress.

So the attacker who as of now seems to be using a weak botnet/network of home PCs, which are connected to the Internet with a mere 10 megabit or 20 megabit line,   will soon have a much larger botnet of huge servers having essentially unlimited Internet bandwidth and  large network connections , thereby capable of generating a huge amount of traffic on an unprecedented scale that might affect the entire internet infrastructure and slow it down  on a global level. Scary, right?

If you haven’t locked down your website properly, now is the time to spur to action because chances are it  could be hijacked by cybercriminals for their own purposes, without you even knowing.

Maintain strong passwords: Let’s kick off the list with the easiest step you can implement immediately. Use strong passwords including upper/lower keys, numbers and symbols.

Rename the administrative account: Create a new user with administrator rights and delete “admin”-the default administrator of WordPress powered sites.

Install a login limiter for WordPress:  A login limiter can essentially block the IP address which tries and fails to send login requests above a threshold rate. For example, three consecutive failed login attempts can be backed up with a penalty timeout of 1 hour and an e-mail notification to the website owner about the same. Two WordPress plugins which let you enforce a login limiter are Limit Login Attempts and  Better WP Security.

Enable Two factor Authentication: Two Step Authentication for WordPress.com accounts  was released just a week back and we strongly recommend that you deploy it.

Keep up to date with the latest version of WordPress:  WordPress team creates patches to help fix security holes at frequent intervals.  Keep a tab on them and also new versions of  plugins and themes.

Why are digital certificates so important?

Identification & Authentication

A digital certificate helps you clarify your identity to your visitors, particularly if you collect sensitive data such as credit card and confidential information through online transactions.

Confidentiality

The information transferred through your website is encrypted when a digital certificate is applied. This ensures confidentiality for the end user.

Fraud Protection

Protect yourself and your customers from possible threats of online fraud and information hijacking also known as phishing.

Choosing the right digital certificate

With Innovative Hosting Corporation you have access to a comprehensive range of digital certificates from world leading providers such as Thawte and Positive SSL, all backed with INDIAN based telephone support and fully assisted order placement.

8 Ways to Safeguard your WordPress Blog from Hackers

You’ve treated your blog like your baby and nurtured it, complete with pictures and proofread everything you’ve written. You might have an average of 300 posts until date and you’ve invested so much time and sweat in making them perfect.

You also have a decent follower base (100+ followers) and a massive number of comments, at least 5000+ good comments by good people who truly appreciate what you blog about.

The above scenario is an absolute delight, until THIS happened!

We can totally relate to this (not that it’s ever happened to us, touch wood) and to see this happen to your very own blog is a nightmare.

But fear not! We’re here with a set of tips that will help you keep your WordPress blog safe and secure

1. Take a Back-Up!!

Your WordPress database contains every post, every comment and every link you have on your blog. If your database gets erased or corrupted, you stand to lose everything you have written. There are many reasons why this could happen and not all are things you can control. With a proper backup of your WordPress database and files, you can quickly restore things back to normal.

2. Do you have the latest WordPress Version?

You should always make sure that your blog’s version is up to date. WordPress team creates patches to help fix security holes. Follow wordpress feed to find out about the latest updates or you could simply login to your admin.

3. Delete “Admin” User

Just to make hackers work harder, bin this. Create a new user with administration rights, and give the user a nickname (for public display) that is not the same as the username. Then log out, log back in as the new user, and delete the original “admin” user.

4. Install WP Security Scan

This plugin is the really awesome. It’s simple and automates stuff. It will scan your wordpress blog for vulnerabilities and inform you if it finds any malicious codes etc. If the texts are in green in the admin panel then you should be good.

5. Scan Every Theme and Plugin You Want to Install

This is especially important if you download your themes and plugins from other websites online, or if you’re using cracked plugins and themes. You never know when a sleazy programmer will put a little code in your theme or plugin, or when that cracked software you’re downloading will be virus infected.

Don‘t just wait to get hacked before you realize this, so make sure you scan every theme and plugin you want to install on a regular basis; scan them with your own antivirus before you install them.

6. Create a .htaccess File in “wp-admin/”

.htaccess (hypertext access) is the default name of directory-level configuration files that allow for decentralized management of configuration when placed inside the web tree. .htaccess files are often used to specify the security restrictions for the particular directory.

Open a new text file and paste this –

preg_replace(‘/<\/?p( [^>]*)?>[ ]*/’, ‘ ‘, preg_replace(‘/

[ ]*/’, ‘ ‘, ‘

# BEGIN WordPress

RewriteEngine On

RewriteBase /

RewriteCond %{REQUEST_FILENAME} !-f

RewriteCond %{REQUEST_FILENAME} !-d

RewriteRule . /index.php [L]

# END WordPress

‘))

Save the file as .htaccess and upload it to your “wp-admin/” folder, i.e., to http://myblog.com/wp-admin/

7. Hide Your Plugins

If you’re not sure whether they’re hidden or not, navigate to http://myblog.com/wp-content/plugins. If you see a 404 error page, they’re hidden. Otherwise, you’ll see them listed.

8. Install Plugin that Monitors Your Files and Notify You of Changes Immediately

You can also tell your hosting provider to help you configure your server to notify you in case there is any change in any of your files at any time, or you can look for a plugin that makes this easy.

A lot of little changes happen to our blog every day, but the reality is that some of them shouldn’t be. It is important for you to make sure you don’t come to know about any of these changes lately, so make sure you regularly monitor your sever and wordpress installation for any changes.

That’s it. Your blog is more secure, and way less hackable. Go make content!