Warning: WordPress Brute Force Attack

In light of the massive wordpress brute force attack going on, here is some advice to lock down your blog from being attacked.

After my blog was hacked a few months ago, I’ve been understandably more security conscious on my blog.  One of the things I’ve done is install a few security plugins (most notably Wordfence Security).  Wordfence is an absolutely fantastic security plugin, it monitors the files in your site to make sure that they don’t change unexpectedly, and more importantly it monitors login attempts (and other page requests on your site) for potentially harmful login attempts.

Over the past few weeks a global brute force attack has been targeting wordpress installations.  I first found out about it because Wordfence started notifying me that there were more failed login attempts than usual.

Protect yourself and your blog with the following crucial steps:

  1. Don’t use “admin”:

    • If you have a user named “admin” on your wordpress installation, get rid of it!  If it is your only admin user, create a new one, log out of admin, and in as your new admin user, and then delete the user named “admin.”  The brute force attack is trying thousands of passwords with the user named admin.
  2. Use a good password:
    • Please don’t use “password” or “admin” or “god” or your birthday, pet’s name, or any other easily guessed password.  Use a good password.  The brute force attack is trying both a list of the top 10,000 passwords, and a dictionary random word attack.  Protect yourself, don’t use a password that is easily broken!
  3. Use a security plugin to prevent login attempts:
    • As I mentioned above, I use Wordfence Security by Mark Maunder.  This plugin is fantastic.  Not only can you set it up to lock people out if they fail to log in a certain number of times, but you can rig it where if they try a username you don’t have (like admin, because you followed step 1) it will lock them out immediately.
    • It will also notify you when it has locked someone out, and can notify you if someone successfully logs in.  This way you can have a warning if someone does manage to break through your secure password.
    • It also monitors the files on your wordpress installation and notifies you if any of the files in your themes and plugins unexpectedly changes.  This is a great plugin and I highly recommend it.

I hope this helps you secure your blog from this attack.

Battering Ram Image Credit: flickr.com/noii

Losing my Geek Cred: Nick.pro hacked

If you attempted to visit my blog on Friday using either Firefox or Chrome, you most likely received a warning that the site was compromised and dangerous.  While I’m still not sure how they got through, I can tell you that my blog was compromised.  Code was injected into the site in every place where javascript was being output that attempted to install malware on the computers of people who visited nick.pro.

No it was not because I was lazy and didn’t keep my blog up to date because I did.  The blog was already running the most up to date version of wordpress available.  The compromise most likely came through a vulnerability in one of the plugins or in the theme I was using.

My first inclination would be to pretend that such an embarrassing lapse of security never happened, but I thought that perhaps the tale of how I’ve brought things back up might help others who find their websites hacked as well.

Continue reading “Losing my Geek Cred: Nick.pro hacked”

Migrated Back to WordPress

wordpress powerOver a year ago, I migrated nick.pro from WordPress over to Drupal.  I did this so that I could experiment with Drupal more, thinking I could make a more robust site if I did so.  Unfortunately, while Drupal is a fantastic, flexible platform for web development, it is simply not efficient as a blogging tool.

Drupal was so cumbersome to use as a blogging tool that I ended up stopping blogging altogether.  So for the first time in years of migrating this blog around and around, I’m reverting it back to a previous home on wordpress.

In the last year wordpress has come a long way, with lots of great new features that makes blogging even simpler then it was before.

I in no way mean to bash drupal, it’s still far and away the best CMS system out there for developing complex sites, but for a blog… it’s good to be home.  My hope with this migration back to WordPress is that it will lite a fire under me to blog again.  No more can I shirk my blogging responsibilities with the whine that writing a post in drupal is just too much work.

Nick.pro Migrated to Drupal

I have successfully migrated the nick.pro site from the WordPress blog that it has been for ages, into Drupal. This is perhaps the most unusual migration of this blog (and I’ve moved this blog several times now), in that I don’t actually consider Drupal to be a better blogging software then WordPress, in fact, I find WordPress to be the absolute best blogging software available today. However I’ve long wanted nick.pro to be something more then just a blog, I’ve wanted it to be a whole site showcasing what I’m up to online and off, and Drupal is a far better CMS platform for a more robust site then just a blog.

While Drupal works fine as a blog, where it really shines is in it’s flexibility. There are Third Party Modules available to do almost anything you can imagine, and for those things you can’t imagine, it’s a robust php framework for coding my own modules to do even more incredible things.

For the moment, all I’ve accomplished is migrating my old blog content, making sure all of the URLs redirect correctly, and adding an activity stream to show my recent activity on various online sites (twitter, digg, youtube, and flickr to start, more to come).

This is far from the first time I have migrated my blog. Stay tuned after the break for a brief glimpse of how this site has progressed from “Cap’s Log” on Movable Type 2, to Nick.pro running on Drupal today.
Continue reading “Nick.pro Migrated to Drupal”