I am a customer with WiredTree for quite a while now and I wanted to tell you about my recent experience with them. My web hosting itself has seen many moves over the years. I started out with shared web hosting at some smaller hosts, but back in 2003 I opened a reseller account with HTTPME.com. Then one of my websites grew and grew and I needed a dedicated server. I sold that website in 2009 for a nice 5-digit price tag and retired the dedicated server. I still had my reseller accounts with HTTPME the entire time. [Read more…] about My WiredTree VPS was upgraded for FREE Or how I am saving $400 per year
Archives for June 2013
In my recent article here I showed you how to secure your WordPress installation. WordPress is a very popular blogging and content management software. It has grown a lot over the years and the more it became popular the more it became a target for sophisticated attacks from hackers and criminals. So, it is extremely important that webmasters like me and you keep their WordPress installations up to date and secure.
WordPress has been target of many sophisticated attacks, but not too long ago some hackers went back to the basics (so to speak) and they are attempting brute force attacks against the login pages of a WordPress installation. These hackers took control of over 100,000 computers – most likely some sort of a bot net – and they are using these computers and their Internet IP addresses to run automated attacks against other websites.
As an example, my own website (http://www.webhostingresourcekit.com) uses WordPress. I am not using it as a blogging software, but more like a content management system as you can see. When I noticed the increase in attacks against my website I took additional action. I had already secured WordPress through plugins and other measures, but I did not want to risk to become victim of a brute force attack. So, I added the extra protection by forcing an additional layer of password protection onto my WordPress login and administration area. These 2 layers are independent from each other and even if one would guess the first level user ID and password, it makes it much more difficult to start automated attacks. I am not saying it is impossible to hack my website, but it takes care of most automated attacks. Online security is like security in real life. You can protect your house with extra locks, motion detectors, a sophisticated security system, and a lot of other security measures, but if someone wants to break in they will still break in. However, the common thief will fail and it will take more a more sophisticated criminal to get past the extra layers of security. The ROI for such an endeavor has to be worth the additional effort and most people will simply shy away and pick easier targets (aka somebody else’s house). The same strategy applies to your website (or mine for that matter).
The attackers mentioned above are running dictionary attacks against WordPress. They use common knowledge that the default user ID for most installation is called “admin” and they know that too many people are not using complex passwords, but passwords based on words found in common dictionaries. They combine the “admin” user account with easy to guess passwords and then run their sophisticated attacks from over 100,00 hijacked computers so that it is almost impossible to block these attacks based on where they come from.
So, when I wrote my tutorial on how you can secure your WordPress installation with just a few simple steps I did look at my website statistics and posted a screenshot to show the number of attacks. After just 2 days my website had recorded over 4,500 attacks. A day later I took another look and the number had more than doubled. Over 10,000 dictionary based attacks in roughly 3-4 days – that is quite a bit. For one if I would have used an easy to guess password my website would have been open for the attacker, but secondly these attacks also add load to my web server. Load means that the website slows down and makes the visitor experience less pleasant. The load issue is secondary, but still important.
Here is an article by Forbes magazine that describes the same situation I am talking about. They mention 90,000 IP addresses, while I have seen other reports mentioning over 100,000 IP addresses. At that level it does not matter. But when even the mainstream media starts writing about it, the issue should not be ignored. The article at Forbes shows a few steps on how to secure your website and it is a good start, but do not stop there. It pays off to go the extra mile when it comes to security.
One of my more popular websites is using WordPress. I am using a specific security plugin to protect the website and every once in a while I received a notification from the plugin that somebody had tried to access the administrator section of WordPress, but the plugin had it blocked. This functionality became even more important with the recent increase in attacks against WordPress. While my web server is already very secure thanks to Wiredtree (affiliate link), it is up to each Webmaster like yourself to further protect your website based on which software you use.