WordPress Security – Update Your Plugins
Wordfence announced this week that they saw the largest distributed brute force campaign, since their service was setup.
The WordPress security company suggests that the possible explanation for this attack, lies in the publishing of a massive database of hacked credentials on the dark web on the 5th December.
On December 5th, a massive database of hacked credentials emerged. It contains over 1.4 billion username/password pairs. Approximately 14% of the database contains credentials that have not been seen before. The database is also searchable and easy to use.
The reason for this attack has become clear in recent days – to mine cryptocurrency (think Bitcoin). We can assume this type of attack will become more prevalent, given the current skyrocketing in the value of various cryptocurrencies.
How can you avoid getting hacked?
Use strong and unique passwords for every site
One of the elements we discussed in a previous post, WordPress Security Tips, was to ensure the use of strong passwords. The above breach underlines this point.
Best practice is to ensure that you don’t use the same password for all sites, to enable two factor authorisation where it is available and to use a password manager if you are not able to remember a unique password for every site.
Keep your plugins and main WordPress core up to date
One of the main reasons that plugins and the WordPress core software is updated, is to patch identified security flaws. If you don’t keep these up to date, you are susceptible to an attack.
For example, when you purchase a WordPress theme from the various online theme marketplace, they are often bundled with plugins. These are often overlooked and not updated. TimThumb is a good example of this. It’s an image resizing script which is no longer supported or updated but is found on many WordPress installs.
Along with TimThumb, a report by Sucuri suggests that outdated versions of Gravity Forms and RevSlider contribute to a high number of security incidents and vulnerabilities with WordPress sites globally.
Action – Check if your WordPress site has TimThumb – if it does remove it. If you have a theme or plugin, that hasn’t been updated in a while and is no longer supported, I’d recommend you look for alternatives. Sure it’s a bit of a pain locating an alternative but nothing compared to the inconvenience and damage to your reputation of a site being hacked.