Monthly Archives: April 2013

WordPress Security Advisory: Harden Your Admin Login

WordPressThere has been news lately of a distributed attack against WordPress sites. A growing botnet has been running dictionary attacks against sites powered by WordPress, in effort to gain access to the the admin panel and infect the server. As is usually the case with botnets, infected servers are assimilated into the pool of compromised systems that make up the botnet and put to use for nefarious purposes such as DDoS attacks.

It’s important to note that this is not a WordPress security flaw, but rather an attempt to systematically guess passwords.

The attacks consist of simple POST requests to wp-login.php with a supplied username of admin and one of many simple, insecure passwords. I’ve noticed plenty in my logs, including rainydays, sophie1, and wordpress. The requests come from a rotation of IP addresses in the botnet, making it difficult to block them outright.

It’s easy enough to protect yourself from the attacks, providing you follow some simple best practices.

1. Get Rid of the Admin User

Historically, every WordPress installation would come with an administrative user named admin, which was created during the setup process. In more recent versions, the setup screen prompts you to choose your own username instead of providing a default. Check the Users screen in your WordPress backend to see if a user named admin exists. If it does, you should replace it with a profile that has a unique name, ensuring that the new account has administrative privileges.

Having a user account with that default name is a bad idea, because numerous attacks over the years have operated under the assumption that the operators of many WordPress sites will have been too lazy to change it. The current attack only tries passwords for a user named admin, as well, so ensuring that such a user does not exist will go a long way toward protecting your site.

Continue reading →

ServerBear Benchmarks

ServerBear: Performance Benchmarking For Linux Servers

The popular options for VPS hosting for the past few years have been the venerable Linode, VPS.net (my provider of choice since 2009), the late SliceHost, Rackspace and Amazon EC2. A new name has been cropping up more and more lately, though: DigitalOcean. After…

BlogBuzz April 13, 2013

WordPress 3.6 to Have Audio/Video Support in Core

Here’s some great news from the WordPress development blog: WordPress 3.6 is going to have built-in support for audio/video playback. You will be able to upload a media file, and WordPress will handle playback with the MediaElement.js. Shortcodes will be available, as well as…

HTML5 and CSS3: Develop with Tomorrow's Standards Today

HTML and CSS: Develop with Tomorrow’s Standards Today by Brian P. Hogan

I recently unearthed a review copy of a book that somehow got lost in the shuffle a couple of years ago, HTML5 and CSS3: Develop with Tomorrow’s Standards Today by Brian P. Hogan, which is too bad, since it’s one of the better books…