April 2013 – WordPress Attacks Worldwide

[reprinted from the SweetLife Security website]…

April 12, 2013. If you have a WordPress site, apparently for over a week, some hacker network of 90,000+ compromised machines (probably hacked wordpress sites) around the globe are launching brute-force attacks on WordPress sites like many small businesses use.
Hackers these days aren’t usually some teenager wanting to simply deface your site with ugly things, for fun.


Hacking is big (criminal) business. The hacking operation actually finds ways to get into unprotected websites, and then installs (hidden) code there which runs programs, to find more unprotected sites. You can locate most wordpress sites simply by going to the site, viewing page source, and near the page top see if they have some directories named “wp-content.” Pretty easy, right?
So they find the wordpress sites (automatically), and then there are ways to get inside, even without the passcode. One way is to go to the usual login page and assume that most people haven’t bothered to change the default username, and so the name of the administrator is usually still “admin.”
That means that the hacker program can simply try to log in, over and over, using the name admin. Now a wordpress site which has not been “hardened,” will simply report “That’s the wrong passcode.”  And this means the hacker has just been confirmed that the username is correct.
So the hacker program simply tries one passcode after another, going through the dictionery, after trying passcodes that people often use such as “passcode” or “12345”. After some hours or some days — computers are very fast — the passcode is often found.
And right now 90,000 compromised computers are banging away, 24 hours a day, running these programs to find and get into a WordPress site. Like yours, perhaps.


Because, after spreading out in order to create a huge network, they install other hidden programs. The most common ones are (a) programs to relay spam, and (b) programs to install “thief” programs onto your site-visitor’s computer. After your site visitor goes away, the hidden thief program watches his keystrokes, and after he logs into bank of america or uses a credit-card online, the thief program simply sends the information off to hacker headquarters, and soon your site’s visitor finds huge charges on his creditcard bill or bank-withdrawals.
These hacker networks are the largest danger to your website — if they get your site to send spam or steal credit-card info, you can be blocked forever by Google, your own email can become blocked by the spam-police because your site looks like the spammer, and technically you are legally liable for the damages to anyone whose credit-card or bank information has been stolen.
This is crime, folks. They are in the crime business, and fully intend to mug your website.


Maybe, if you’ve used a really easy password like “password” or “12345.”  You also should avoid words that occur in the dictionary  because these are so commonly used as passwords, hackers simply provide a list of the dictionery words to their hacking programs, and the hacking program will use ALL the words in the dictionary. If your word is in the dictionary, you are very vulnerable.
Now even if you have a really good password, your website can suffer from this kind of attack, because your website’s server is being battered with these repeated requests, and it slows way down. You may not be able to log in or see your pages simply because the website’s server is running so slow.


First, to avoid being compromised, change to a smart password immediately. Here are two methods —
1) Go to http://sandbox.coderlab.net/rpg/index.php.  Click “Alphanumeric,” length = 25 characters, and special-characters = yes. It will then generate a truly random password that looks like this —
   This type of password is really, really slow to crack.
   The problem is, it’s also really hard for you to remember. If you are using RoboForm or LastPass — programs which store and automatically retrieve passwords for you — then you merely save it to RoboForm or LastPass.  Still, just in case, better have a place you can safely keepit, just in case, just in case.
2) Make a password that makes sense to you, but does not consist of dictionery words, and it’s long. For example
     take a childhood sweetheart or a favorite pet from early days … Alice … and change the upper/lower and substitute some numbers for letters … aL1c3
     then take a word you use that’s not really a word … zoids! and stick that in with some upper/lower changes   … Z01DS
     then interleave some underscores and previous addresses … and you come up with something like …
     Some combo made up like this can actually be remembered, but it’s pretty hard to guess


The problem is that while you’re being attacked, your website slows to a crawl.
And attacking the password is only one of the methods. Anyone who can search on youtube can find a dozen ways all spelled out in tutorial videos.
The true answer —
A) Have REAL backups, lots of them.
B) HARDEN the MANY PLACES where WordPress is vulnerable.


Having REAL backups does NOT means the so-called “backup” which your hosting company provides. Yes, it’s complete, and it’s done once per week. But if you fail to learn about the hack, or if you learn shortly before the scheduled backup, then the hacked site will be “backed up” which wipes out any earlier backups of your correct site. So the hosting company’s backup is usually useless.
Likewise the “backup” provided by wordpress saves only your post content and loses pictures, themes, settings.
A real backup is either a “full cpanel backup” made now and then and saved to your own computer … or … security-minded web-development companies like SweetLife Marketing have special programs which create full backups that can recreate the entire site, and we save multiple copies over time, to our office, to a backup server in another state, or perhaps into the Amazon Cloud servers.


Although we have better methods now, we used to run a simple security scan. And the results could be surprising!
(I recently ran the scan on all the websites listed for members of the Chamber of Commerce in Mt. Shasta. Of the 205 websites listed, 49 of them were wordpress websites. Of those 49, only one passed the simple 8-point security scan.
If you want to take out insurance, and protect your website, you can arrange to have your WordPress website “locked up.”
But that’s a story for another time.    🙂
— Ace Ventura


“The reason crime doesn’t pay is that when it does, it is called by a more respectable name.” — Laurence Peter



Get the Book: $15.95 or Free!

Marketing Online made Clear and Simple for Local Business

Ace Ventura, SweetLife Marketing Group Principal, has written a book that helps business owners discover the clear and simple formula for using their website to increase profits. Marketing Online Clear and Simple comes with a complete video series that shows you click-by-click how to do it. Available on Amazon in print and Kindle formats for $15.95, OR included FREE with our SweetLife Profit-Mapping Session or Profit-Maximizer Audit.

To download sample chapters and video, submit your name and email below.

Your Name
Your Email




Helping your Business Prosper ... for the Life you Love

If you yearn for a simpler life, and would benefit from increased income, you have come to the right place. Our team of Income-Creation Specialists at SweetLife Marketing Group can promote your business, walk new customers through your door, and uncover hidden income presently untapped.

And you? You can focus on what you do best, attain the life you love, and enjoy living the entrepreneurial dream you always knew you could achieve.

Read More