WordPress sites are currently under assault from massive brute force attacks from malware-infected servers. This week’s Tip Jar provides details about the attack and how to protect your site.
Tip Jar: Form a Brute Squad
[nonmember]The Inbound Marketing Inquirer is free to view for members. Create a free account:
[register_inquirers (free)][/nonmember]
[ismember]
Brute Force Attack
Last week, I had several clients contact me with complaints about poor website performance. I contacted the hosting company, Hostgator, several times and then on Thursday they pointed me to a blog article about a massive brute force attack that had been underway for more than a week. The next day, Cloudflare announced that they had seen it and were pathing the Internet in real time.
The attack is using a botnet (a group of computers infected with malware) to attempt what are called brute force attacks against WordPress sites. This means that they are running scripts that attempt to login by guessing the administrator username and password. Here’s a statement from WordPress inventor Matt Mullenweg:
Almost 3 years ago we released a version of WordPress (3.0) that allowed you to pick a custom username on installation, which largely ended people using “admin” as their default username. Right now there’s a botnet going around all of the WordPresses it can find trying to login with the “admin” username and a bunch of common passwords, and it has turned into a news story (especially from companies that sell “solutions” to the problem).
Here’s what I would recommend: If you still use “admin” as a username on your blog, change it, use a strong password, if you’re on WP.com turn on two-factor authentication, and of course make sure you’re up-to-date on the latest version of WordPress. Do this and you’ll be ahead of 99% of sites out there and probably never have a problem. Most other advice isn’t great — supposedly this botnet has over 90,000 IP addresses, so an IP limiting or login throttling plugin isn’t going to be great (they could try from a different IP a second for 24 hours).
Other Tools
Even if you’ve protected your administrator accounts as recommended, it doesn’t protect your server from these login attempts. This means it could still slow your website performance. Using a service like Cloudflare can help because it identifies and blocks the traffic before it even reaches your server. I can’t recommend this service highly enough. I’ve been using it on all of my WordPress sites for years and it virtually eliminates comment spam. The reason it’s so effective, again, is because it operates in between the Internet and your server. It can fingerprint and identify traffic that comes from these botnets and block it before it ever reaches your server.
Another free tool is a malware scanner called Sucuri. It will scan your server for malware and tell you if it’s been hijacked or infected.
Summary
To recap, you’ll want to take these three steps if you manage a WordPress site:
- Be sure that you’re using a secure administrator account
- Scan your site with Sucuri to make sure it’s not infected
- Use Cloudflare to protect your server from malicious attacks [/ismember]
Reading List
How Creating Crawlable Landing Pages Increased Quality Score
Quality Score is an important metric that helps determine how expensive your Google AdWords clicks will be. A lower score means you’ll spend more. This article helps decode some of the mystery around this score and can help lower your average CPC.
13 Unconventional Landing Page Strategies To Increase Conversions
“Similar to the banner blindness phenomenon, sticking to the traditional methods (like linking to your homepage from your Twitter bio) is extremely predictable from a new visitor’s perspective, and leads to what I call brand blindness. What follows are 13 unconventional landing page strategies that, if used well, will break your visitors expectations on first visit making them more receptive to what they find on the page and lead them into a flow through your site.”
Email Optimization: A single word change results in a 90% lift in sign-ups
One of the most testing-oriented sessions at MarketingSherpa Email Summit 2013, recently held in Las Vegas, was a presentation by Michael Aagaard, Copywriter and self-described test junkie, ContentVerve. Michael offered the audience 12 test case studies in 30 minutes in a talk titled, “How to Optimize and Test: Calls-to-Action for Maximum Conversions.”