WordPress Sites Under Bot Attack
Websites running open source software like WordPress and Joomla have had a busy week. Last Friday morning saw the emergence of some serious bots scanning the internet looking for sites with ineffective passwords and security. (Ref nextweb article).
As the article noted. “One risk is that personal bloggers that set up WordPress installations might not have thought to set up a highly secure password”
Doubtless tens of thousands of sites have been compromised. Our own sites certainly felt the strain, but aside from needing to restart the database, remained intact. Most hosts worldwide were similarly affected. We also have a focus upon security, including using Cloudflare that stopped the bulk of the nasty bot traffic (graphs below).
So, what’s going wrong with WordPress?
Firstly, open source systems like WordPress and Joomla are both inherently quite secure. But it’s like getting in a car and not putting on your safety belt or closing the door. There are basic things a website owner needs to do. Like access to your business PC, the key one is around the use of strong passwords. Weak passwords using a common name are the primary method of gaining access to any CMS-based website, especially the admin password that allows access to most key files.
The fact that WordPress sites in particular are targeted is no surprise. WordPress.org sites are easy to establish by bloggers and companies using auto install scripts common with most hosting providers – Meaning that the basic security issues professional developers like myself take for granted, are often overlooked or not known about. We add in stuff that’s missing or can’t be included in the default auto install. e.g. use of external systems like cloudflare to provide filtering at the DNS level, plus host server security tweaks, plus custom htaccess files and various plugins. None of this is costly and takes care of the technical issues, making the site almost bulletproof.
But all this technology can be undone if the site owner or developer isn’t using strong passwords for the admin level access. This was the focus of the latest attacks. Not to find holes in WordPress technology which is quite robust, but holes in site administration. The problem is that once they have access it isn’t always a cheap process to fix. Often amateur-built sites don’t even maintain backups!
Good news, you’ve been hacked?
This was the heading of an article we wrote last year. It came at the problem more from a viewpoint of traffic and seo. i.e. The more popular your website is and able to be found in a search, the higher the likelihood of your site being attacked…
Often, those companies that say their site has never been hacked, is not necessarily that their platform or security is better, but more to do with the fact that they’ve done no SEO work, meaning they are essentially invisible online and neither new customers nor hackers can find them!
Bottom line is although it’s easy to get online with WordPress and run a successful DIY website, there are always inherent risks, primarily around keeping these nasties out, which make up around 20% of all website traffic. Having your site hacked is not always the fault of WordPress or even the host company (although some are better than others), but the lack of simple housekeeping by the website owner….
Our next WordPress Meetup we will make security the feature topic.