6 Things You Need To Do Today To Protect Your WordPress Blog From “Large Scale Attack”
According to Daring Fireball and his sources in the WordPress community, there is a “large scale attack” against WordPress going on right now. As far as I can tell, this attack involves malicious code being put on sites (sounds familiar) and the only way to make sure that your WordPress site doesn’t become one of the many sites that have already been attacked is to immediately upgrade to the most recent version of WordPress. Please DO NOT panic, but, if your site runs on WordPress, PLEASE DO take the following steps to protect your blog. Also, please note that if you are already running WordPress 2.8.4 (the latest version of WordPress), you are safe from the attack. So breathe easy. If not, please take the following steps, and read these words on WordPress security by WordPress creator, Matt Mullenweg.
- Update to WordPress 2.8.4 immediately. The only version of WordPress that is immune from this attack underway is reportedly the most recent version of WordPress (2.8.4). If you are running an older version of WordPress, you should update this software immediately–if you are not sure how to do this, visit your web hosting company’s site for information on how they handle upgrades. It may be something you can do automatically from their CPanel interface, or you might have to do it through FTP. But either way, there should be clear instructions on how to do this available.
- Change all passwords immediately. You should change all of your WordPress passwords to a strong password (e.g. using symbols and capital letters) immediately–this includes all users, database, FTP, control paneles, etc.
- Do not rely upon a plugin to protect you. Apparently, the only way to protect against this particular attack is to upgrade WordPress. You need to do that before you install any plugins that are supposed to help with security.
- Confirm that your site has not already been attacked. The easiest way to confirm if your site has been attacked is to look for one of two things happening: 1) strange additions to your permalinks that include various jumbled symbols and letters, or the keywords “eval” and “base64_decode”; and/or 2) a mysterious user account called “administrator (2) or some other account you do not recognize. If you find either of these, you can visit this link for a possible solution.
- If you site has been hacked, you need to export all of your content but not your database. This attack goes into the database itself and as a result, you don’t want to just export your database to another installation. You are going to have to create a new one and put all of your information inside of it. Again, this is something you should be able to do through your WordPress dashboard, and then back up all of your WordPress themes, images and files.
- Upgrading is way easier than doing all of that. If you are hesitant to upgrade, let me assure you: upgrading your WordPress version is far easier than dealing with reinstalling WordPress with a new database and importing your information. So just do it–better safe than sorry.