Recently a colleague of mine showed me a letter they were sent from the webhost of their WordPress website. It looks like good advice. I plan to look into it and implement what is necessary.
You are receiving this because our records suggest that you are associated with one or more WordPress websites that we host.
During the week of April 14, we locked down access to all WordPress login pages. Our servers were receiving many requests from hundreds of zombie computers attempting to break in to WordPress dashboards. Many other hosting companies were experiencing similar requests and some were being forced off line by the volume of requests. We decided to take emergency action to protect our servers from being forced off line.
Status of WordPress Login Abuse
This week, server logs indicate we are still experiencing several hundred attempts to login to wordpress sites per day. This does not threaten our servers but still raises concerns and we are hesitant to remove the block that we have in place.
Locking the WordPress login protects our servers from login abuse, but is an inconvenience for WordPress website owners. Thanks for your patience and cooperation with our present policy of white-listing your IP address to regain access to your WordPress dashboard.
Recommendation: Implement Limit Login Attempts
We recommend that WordPress websites implement the Limit Login Attempts plugin. This plugin provides protection from zombie computers who attempt to gain access to your WordPress website by guessing your password, and discourages server abuse. When you have installed this plugin, let us know and we will remove the login block from your WordPress login page.
Security Alert: Cache Plugin Vulnerability
We have recommended the use of WordPress cache plugins, because they reduce server loading. This helps us provide consistent response during heavy server loads — which can occur if your website is experiencing unusual publicity. The two most popular cache plugins are Super Cache and W3 Total Cache. We recently learned that all former versions of both Super Cache and W3 Total Cache are vulnerable to hackers.
Recommendation: Install the latest Super Cache or W3 Total Cache
Now that this vulnerability is widely known, hackers will develop ways to exploit it. The authors of these plugins have been updated to correct this problem and it’s important to make sure that your website has the latest version, as shown below.
WordPress Super Cache version 1.3.2 of April 14, 2013
W3 Total Cache version version 0.9.2.9 of April 17, 2013
Advice on Installing WordPress Plugins
WordPress plugins are easily installed from the WordPress dashboard. After installing, instructions for configuring and enabling plugins vary in clarity and ease of implementation. It’s best to read and follow instructions to avoid problems. For best results, have your webmaster implement and test these plugins for you. We are available to help with installing and upgrading plugins and the WordPress core if needed.
If you have not recently upgraded your WordPress, it’s possible that updates to plugins will require a WordPress update. In any case, this is a good time to update your WordPress to the current version. Keeping your WordPress and plugins up-to-date is your best protection from hackers.