This is one of those stories about WordPress you should read, because it affects you even if you don’t use (or even know about) WordPress.
On April 15th, the United States Department of Homeland Security, Computer Emergency Readiness Team issued a warning of an “ongoing campaign targeting the content management software WordPress…”
CloudFlare, a web performance and security startup, has to block 60 million requests against its WordPress customers within one hour elapse time. The online requests reprise the WordPress scenario targeting administrative accounts from a botnet supported by more than 90,000 separate IP addresses. A CloudFlare spokesman asserted that if hackers successfully control WordPress servers, potential damage and service disruption could exceed common distributed denial of service (DDoS) attack defenses.
Why should we care?
According to Wikipedia,
WordPress is used by over 14.7% of Alexa Internet’s “top 1 million” websites and as of August 2011 manages 22% of all new websites. WordPress is currently the most popular blogging system in use on the Web, powering over 60 million websites worldwide.
According to WordPress.org, WordPress 3.5 has been downloaded 19,370,337 times (as of this article)
Imagine for a minute that 20,000,000 websites were running code for personal blogs, corporate websites, and local stores.
Imagine if four million of those were out of date and had security holes.
You don’t have to imagine.
WordPress 3.5 is currently the most current release of WordPress.
Roughly 65% of them are out of date.
*pie chart is directly from WordPress.org
Two-thirds of the WordPress sites are out of date…
Creating a ‘feeding frenzy‘ of criminal hackers looking for easy victims.
We can see by searching Google Trends that search volumes for words such as WordPress Security and WordPress Backup are trending up with no sign of slowing down. If we look at small segments of time related to keywords in the marketplace we can see that backup and security solutions for WordPress as follow-up remedies after the situation has escalated.
In other words: WordPress users wait until a problem happens, then they complain they left the door unlocked.
How does this affect me?
Imagine the value of your personal data.
Think about the previous line item “WordPress is used by over 14.7% of Alexa Internet’s “top 1 million” websites”
- How many times a month do you visit a WordPress site?
(hint… you are on a WordPress site right now.)
- How many of those sites have you joined up as a member?
- Did you release your e-mail or privately talk with another member?
- Does your e-mail, username, and password match one of your utility or bank logins?
- Did you click on a message link from a friend only to realize it was spam?
- Did you download a nasty virus on your computer off the web?
- Did you wait a few extra seconds waiting for a site to load?
Simply said: there are hundreds of ways that a WordPress virus or hack can affect you, your business, or the people you care about. Some of them are simply nuisance items and others are a complete panic.
If you own a site that has been attacked, the resulting damage can cause irreparable damage to your business and your community members. Repairing a site can often cost thousands of dollars in lost income and technical fees (and the trust of your users.)
WHAT CAN YOU DO?
If you use WordPress: UPDATE IT along with ALL of the plugins you use.
Share this article with anyone who uses WordPress.
Encourage them to update the software they use and make frequent back-ups to protect themselves and their users.
We all have a responsibility to help each other have a positive and safe experience on the web.
Big Names (outside of the Department of Homeland Security) are talking about it.
Techcrunch, ArsTechnica, Hostgator…
Global WordPress Brute Force Flood – Gator Crossing – HostGator
Apr 11, 2013 … Global WordPress Brute Force Flood … The main force of this attack began last week, then slightly died off, before picking back up again …
Fix For Recent WordPress Brute Force Attack Is Easier Than You …
Apr 14, 2013 … Over the past couple of days it has been widely reported that WordPress based sites are being targeted by a massive brute force attack, one …
Brute Force Attacks Build WordPress Botnet — Krebs on Security
Apr 12, 2013 … Brute Force Attacks Build WordPress Botnet. Security experts are warning that an escalating series of online attacks designed to break into …
Hackers Point Large Botnet At WordPress Sites To Steal Admin …
Apr 12, 2013 … For the most part, this is a brute–force dictionary-based attack that aim to … that CloudFlare saw attacks on virtually every WordPress site on its …
Huge attack on WordPress sites could spawn never-before-seen …
Apr 13, 2013 … According to CloudFlare’s Prince, the distributed attacks are attempting to brute force the administrative portals of WordPress servers, …
Worldwide WordPress Security Admin Attacks: Secure Your Blogs Now
Apr 16, 2013 … WordPress Security is always an important part of running your blog, but right now it is even more important than ever. There is a severe …
Update WP Super Cache and W3TC Immediately – Remote Code …
Apr 23, 2013 … Shame on us for not catching this a month ago when it was first reported, but it seems that two of the biggest caching plugins in WordPress …