Wordpress Security Notice (April 2013)

For customers who use Wordpress on their site: (not sure if you use Wordpress?)

There has been a concerted effort by groups of hackers worldwide to break into Wordpress sites and use them to distribute spam and/or make attacks on other servers. According to researchers, unnamed attackers “are using more than 90,000 IP addresses to brute-force crack administrative credentials of vulnerable WordPress systems, researchers from at least three Web hosting services reported. At least one company warned that the attackers may be in the process of building a “botnet” of infected computers that’s vastly stronger and more destructive than those available today.”

We have been taking steps to prevent these break-ins, but there are some steps that require action on your part.

Steps we suggest you take immediately:

  1. If you use the ‘admin’ login, remove it. This default username is the one that is being targeted in the attacks. Create a new account with administrative rights, then delete the ‘admin’ account. Then log back in as the new user and delete the old admin account and assign all of the posts in that account to the new user.
  2. Update your administrative password to something more difficult. A secure password is a mix of at least eight upper and lowercase letters, numbers and ‘special’ characters (^%$#@*)!

Additional safeguards to consider:

  1. Update WordPress: Many hackers exploit holes that have ben identified in older versions of WordPress, so keeping your install up to date is another easy way to avoid trouble, though this is not as immediately relevant as the above two action items.
  2. Install A Security Plugin: Using something like the Better WP Security plugin is probably a good idea in general, it won’t do anywhere as much in this case as the suggestions higher up the list. To limit login attempts, also consider this plug-in.

Please note, if you cannot log in to your Wordpress site, it is possible our server may have temporarily 'locked' your login due to attack attempts. Generally the login access is restored automatically within 4 hours.


Does my site use Wordpress?

Wordpress is not installed by default. It is a program that can be installed to create and manage websites using Wordpress templates. If you use Wordpress, you login to a directory called /wp-admin

Your login page looks something like this: