WARNING
Dear Patricia R,
Do you have a WordPress account with us? If so, we wanted to let you know about an attack on WordPress sites that started earlier this week, what we've done to combat it, and what you can do to protect yourself.
On Tuesday, a widespread "brute force" attack against WordPress started impacting sites across the internet. This attack is leveraging a botnet, which looks to have more than one hundred thousand different computers at its disposal. Its intent is very simple: to find and compromise WordPress sites with simple passwords, likely to use them later to distribute malware (and further increase the size of the botnet).
Over the past few days, we've made a number of changes to our network and infrastructure designed to mitigate the impact of this attack on our customers' websites. Continue reading for a detailed account of what we've done »
Also, and we can't stress this enough, we urge you to check your WordPress password and make sure it's a strong one. The strong password guidelines in our Knowledgebase refer to your iPage account password, but that advice is good for WordPress passwords, too!
We head into the weekend in good shape, but vigilant against a returning or altered attack. For those of you who have been impacted by these attacks, or our attempts to combat them, we do apologize for any service disruption. We also apologize for a longer-than-normal response time over the last few days while we've had "all hands on deck" addressing this issue. We appreciate your patience and understanding.
Sincerely,
The iPage Team
Recent Comments
27
Sorry I haven't replied. I arrived back home and found that I didn't have an internet connection. Now I find the discussion has gone on without me. Good. There is a lot of wonderful information here now.
I find that I can't get into my iPage website.
I wouldn't recommend any of the add-on *security* plugins. It's worth remembering that WordPress is open source and anyone can create a plugin and list it. In the past some have opened their own gaping holes after other updates or have actually been trojans which were created deliberately to give backdoor access to outsiders. I've seen some that have locked people out of their sites, added adult entertainment advertising or diverted affiliate traffic. The best advice is the simplest, ensure your User Name and Password are both strong and hidden http://www.apinapress.com/security/ and that you only use other plugins that are recommended by people you trust 100% and who are themselves using them on a daily basis. Rich. x
The only plugins I would personally use are certified plugins if there are such a thing.
Barring that, there is a history of ethical programmers that are on WordpressDotOrg that also have discussions about the "favourite" downloaded plugins.
These are things to look for when adding any theme or plugin.
Keep in mind also when you're purchasing or downloading anything from an internet marketer, they also boast about outsourcing their work to leverage their business. Right? Well who are they outsourcing to and who is that outsourcer working with or leveraging also?
A vicious circle to keep in mind!
Who knows what you're getting in the end?
Also keep your PC clean of spyware etc, keyloggers are out there as we speak and a good antivirus will keep things running smoothly hopefully not slowing down things too much. lol
Kal
As far as the key loggers go, I would advise using a password program so they can't follow your keystrokes.
Thank you Patricia. My site is okay. Hope all remain safe with a good password and gravatar username. Authentication with google app is a good idea too.
Hi, Patricia. Thanks for this alert. I have hopefully made my site a bit more secure by changing around my admin info as suggested.
Marie
Just ran across this article which seems to cover similar stuff but also mentions a couple of extra precautions (security plugin and a free blocking service).
http://www.forbes.com/sites/anthonykosner/2013/04/13/wordpress-under-attack-how-to-avoid-the-coming-botnet/
Whatever you do, do NOT use "admin" as your login.
Apparently Wordpress is easy to hack, that is not fun to know.
There are work arounds for this by changing certain file names in Wordpress but for those that have lots of sites they are better of to have a Wordpress manager where they can install security plugins to do all this for you.
I am seriously thinking of just doing html sites from now on they are easy to do and they load fast on Google too!
Kal
I recommend everyone follow Dean's (@apina) training regarding WordPress User Name and Password security at http://www.apinapress.com/security/ Rich. x
I'm sure Dean would love to get a word-or-two of appreciation on his profile if and when you have a sec. :) https://my.wealthyaffiliate.com/apina
I just visited Dean's site very briefly and it is nicely laid out from an informative standpoint.
I also like the layout of the site or the look and feel, very Wordpress friendly! :)
Kal
Thanks, Rich. I checked out Dean's WP security blogs earlier and followed his directions for making my site more secure. However, Instead of just "neutering" my original Admin user, I added a new user and assigned it Admin responsibilities, transferred over all old admin posts (and attributed all new posts/links) to my new Admin user, and then deleted the old Admin user.
See more comments
All web hosts across the world are experiencing this DDos attack.
The web host I use has implemented it's own protection by creating another login page.
It is a nuisance but at least my websites are protected.
You shouldn't need to do anything yourselves as this should be covered by your web host provider.
Neil
I hope this happens to iPage. I can't get into one of my sites.