WordPress is my favourite content management system (CMS) is being attacked by the bad guys (hackers), so you better be on red alert. This coincides with the series I am currently running in the “ICT clinic” page of Sunday Punch titled cyber-crime and the Future of the Internet (grab a copy of this week’s punch if you are in Nigeria or read online on www.punchng.com). As I write this post, there is an on going and highly distributed, global attack on WordPress installations to crack open admin accounts and inject various malicious scripts.
This attack is happening at a global level and WordPress instances across hosting providers are being targeted. Since the attack is highly distributed in nature (most of the IP’s used are spoofed), it is making it difficult for providers to block all malicious data.
To ensure that your websites are secure and safeguarded from this attack, we recommend the following steps:
- Update and upgrade your WordPress installation and all installed plugins
- Install the wordfence security plugin
- Ensure that your admin password is secured and preferably randomly generated
- Other ways of Hardening a WordPress installation are shared at
- Disable DROP command for the DB_USER .This is never commonly needed for any purpose in a WordPress setup
- Remove README and license files (important) since this exposes version information
- Move wp-config.php to one directory level up, and change its permission to 400
- Prevent world reading of the htaccess file
- Restrict access to wp-admin only to specific IPs
A few more plugins – wp-security-scan, wordpress-firewall, ms-user-management, wp-maintenance-mode, ultimate-security-scanner. These may help in several occasions. (See WordPress plugin directory)
Also, we recommend using Cloudflare, which is available for free, to prevent the attack from affecting the functionality of your site.
Take heed and ensure you safeguard your web properties against this bad (but highly intelligent) guys scattered across the globe.