WordPress users: be calm and vigilant. WordPress blogs and websites all over the world have sustained “brute-force attacks” this week.
Over 90,000 computers have been ‘conscripted’ into a sinister botnet, which is
prowling round like a roaring lion, looking for someone to eat attempting to hack into WordPress sites.
It is important to secure your site, not only for your own sake, but for the sake of your webhosts’ other customers. (It’s analogous to immunising your kids, not only for their sake, but for the other kids at their school.)
In the first place, make sure that you are using the latest versions of WordPress and active plugins. Delete all inactive plugins and inactive themes.
In the second place, change your password. Most of us use a key word or phrase which is easy to recall. You have to mix it up a little with upper-case letters, numbers and special characters. So convert your old intuitive password into a N#w L#$$ Intu!t!v# P@$$w0rd.
In the third place, there are a few security plugins you might consider installing. I highly recommend Bulletproof Security, which I have been using since a few of my sites were hacked in 2011. I thought I had installed and activated it on all my sites, but I missed one, which was hacked just a few weeks ago. Now all my sites, without exception, have Bulletproof protecting them!
Two other plugins, which are especially recommended in light of the present brute-force attack, are Limit Login Attempts and Better WP Security. I installed them both today, and only realised afterwards that if you install the latter, you don’t need the former. LLA is a very simple plugin, where BWPS is quite complex. But they will both circumvent a brute-force attack by blocking anybody (or anybot) who gets your admin password wrong five times in a row.
Stand up to your enemy the botnet, strong in faith!