What is happening?
Since earlier this week, there’s been a massive attack on websites around the globe, in particular targeting WordPress installations (which is the world’s most widely-used Content Management System).
This type of attack involves bombarding the login page with hundreds of usernames and passwords in an attempt to guess the access details to your website. It’s otherwise known as a “brute force” password attack. Computers are setup to automatically crawl the Internet finding more and more websites to target.
Often these computers are normal family PCs, which have been infected by malicious software that runs in the background, without the computer’s owner even knowing about it. The infected computer may receive commands from a central computer. Together, these computers are called a “botnet” and can unleash devastating force on websites when these computers all work together, often crashing the website servers under the strain. This attack then becomes a “denial of service” attack, which is when lots and lots of traffic is targeted at websites with the objective to crash and bring down those sites.
What’s different about this WordPress attack?
On a normal week, we detect and temporarily block these malicious computers and often see at least one attack per day. We get an instant email notification when this happens. Our security in place means no harm is done, whilst our servers have more than sufficient capacity to deal with these occasional attacks.
However, what has been happening this week is an incredibly large botnet has been formed, estimated at over 90,000 computers, which brings with it tremendous force. This has slowed down web servers and whole data centres due to the amount of traffic being bombarded at the equipment. In addition, rather than just home computers being infected and joining the botnet, reports suggest that compromised websites are also joining the botnet. and, of course, web servers have a lot more power and speed than a typical home PC.
Many of the biggest names in the hosting business, from all around the world, have announced that their systems are being affected by this attack, which is slowing down their web servers. Having just looked at some blogs, UK2, HostGator, Host Europe and many others are reporting issues, so this is a truly global attack affecting almost every hosting company.
Whilst none of our client websites have been directly affected by this attack, we’ve noticed in the past few days that several of the websites hosted on our servers have, at times, been slower than usual. This is because of the pressure being put on the data centre we use and its links to the wider internet.
A similar attack was launched only recently against Spamhaus, described in a BBC News article as the “biggest cyber-attack of its kind in history”.
What security measures do you put into place?
For most of our Content Management System (CMS) websites, we use a specially customised version of WordPress exclusive to our customers. We also put into place a whole list of security measures to secure our websites much, much more than you’d find in the majority of other WordPress websites on the Internet.
Whilst we don’t go into specifics (we would be foolish to let our secrets out of the bag!), some of the measures we put into place include:
- Changing a lot of the default settings and configuration.
- Never using default usernames (like “admin”) or easily cracked passwords.
- Temporarily blocking users who enter a wrong username or password after a number of attempts.
- Protecting the CMS software files by putting a secondary level of password access in place (our clients will know they login using a generic username and password, before getting to the main login screen).
- Restricting access to areas of the website that the public don’t need to access or see.
- Blocking methods that are commonly used to hack and gain access to websites.
What are you doing about this attack?
At the moment our data centre technicians are doing all they can to minimise and fend off this attack, so you can rest assured there’s a whole team on the case. Hosting companies from around the world are sharing knowledge to understand this attack. We’re monitoring the situation carefully and keeping an eye on the uptime and load speeds of all our customer websites, as we do all the time anyway.
We’ve also not needed to make any immediate changes to the security on our own customer websites, as we already have a very high level of security in place, but that’s not to say we ignore what’s happening. We roll out upgrades silently several times per year to all our clients using our CMS.
What can I do myself to help improve security?
These general tips will help improve security when you use our CMS:
- Firstly, ensure you always use a strong strength password, i.e. one that includes capital letters, symbols and is a good length. This means it’s harder to guess and, especially for brute force password attacks like this, it makes it incredibly difficult for a malicious computer to gain access.
- Don’t use the same password for your CMS on other websites or online accounts. Your CMS password should be unique to your Primary Image CMS only, just in case your password gets compromised on another site.
- Install a good anti-virus program on your computer and make sure it’s being kept up-to-date automatically. There’s some really good free anti-virus programs available, so you’ve really got no excuse! This will help prevent malicious software spying on your passwords, plus it helps protect your computer from becoming part of a botnet.
Mike is the founding director of Primary Image. He specialises in the WordPress website platform and speaks regularly at national web design conferences. Mike became a member (MCIPR) of the Chartered Institute of Public Relations in 2015. Outside of work, his interests include photography and politics.