WordPress Botnet Attack

April 16, 2013 Longrider Blogs & Blogging, Personal Stuff 6

The recent attack on WordPress sites has given me pause to look again at my security.

As I already use Cloudflare, among other security measures, the inbuilt weaknesses seem to have been protected. That is, there is no sign of the site having been compromised.

All of that said, I took on board the point being made about the default login. A long time ago, when I first set this place up, it defaulted to “admin” as the username. Interestingly, changing it is not an option as WordPress stands. A bit of an oversight, I’d have thought. The only way you can get around this is to create a new user with full administration rights and a different user name and delete the old profile – remembering to associate all posts to the new profile. Which is fine and it worked. What has happened is that the gravatar associated has not carried on over for the old comments. This, despite the same nickname and the same email address.

Odd, that.

———————-

Update: That’s even odder. It’s cured itself…

Tags: wordpress, security

Ed Butt
April 16, 2013 at 20:20

Populis had downtime today (DoS I assume) just when one of my blogs was withing reach of the million views landmark. Oh well, it will happen tomorrow.

I’ve never much cared for wordpress, a lot of the site features seem very sloppy.
fousteps
April 17, 2013 at 15:48

So that’s what happens when you delete the admin user. I was worried I had to change very post manually to a new user. Will get on and do that niw.

PS How does cloudfare help?
- Longrider
  April 17, 2013 at 17:18
  
  Cloudflare will give you extra security features allowing you to completely block IPs, a range of IPs or even whole countries.
Paul
April 19, 2013 at 21:01

Yes, I know what you’re going to say: you’ll renew the membership fee of the site if I don’t like it, but…

…this new appearance looks a mess.
- Longrider
  April 19, 2013 at 21:12
  
  It’s the theme update. Unfortunately I can’t roll it back. At present, I haven’t the time to trawl about looking for another one, so it’ll have to wait.
Jools
April 25, 2013 at 19:20

The optimal solution to this is to install the Google Authenticator plugin for WordPress. An extra field is added to the WordPress login screen. This field is a security code, which is generated using the Google Authenticator app, and it expires every minute. I’ve written a blog post about it with detailed instructions. Hope this is helpful.
http://www.youarekidding.me/2013/04/google-authenticator-plugin/

Comments are closed.

Copyright © Longrider 2000-2020 and the respective owners. All rights reserved. None of the materials provided on this web site may be used, reproduced or transmitted, in whole or in part, in any form or by any means, electronic or mechanical, including photocopying, recording or the use of any information storage and retrieval system, except as provided for under fair use, without permission in writing from the publisher. To request such permission and for further enquiries, contact me using the contact form.

M	T	W	T	F	S	S
1	2	3	4	5	6	7
8	9	10	11	12	13	14
15	16	17	18	19	20	21
22	23	24	25	26	27	28
29	30

Longrider

Still teaching pigs to sing

WordPress Botnet Attack

6 Comments