WordPress Security Bulletin

Fri, 21 Feb 2014

Dear website owner,

If you do not have a WordPress website hosted by Virtual Creations, you can disregard this message.  If you do not know whether your website is a WordPress website or not, please contact your website developer and ask them.

In the last 24 hours, many of the WordPress websites on our server have been deluged with a constant stream of hacking attempts.  Automated processes are attempting to log into WordPress websites by guessing their administration password.  This was putting a huge load on our server, not to mention the potential for compromising one or more accounts.

I have blocked the IP addresses of all the hackers, and the attack is over, for the time being.

However, this would be a good time to remind ALL WordPress website owners that your website platform - WordPress - is inherently a very vulnerable system.  Thousands of WordPress websites are hacked every day.  I regularly find hacked WordPress websites on my own server (and I suspend/disable them instantly).

With this in mind, I strongly recommend the following extra security precautions for all WordPress website owners:
  1. If your WordPress administration username is "Admin" (the default), I recommend that you change it ASAP.  Do this by adding a new administration user in WordPress, and then deleting the "Admin" user.
  2. Use a strong password for all WordPress administration users
  3. Regularly (every two weeks), log into the admin area of your WordPress website and ensure that WordPress is up-to-date, and so are all the themes and plug-ins.
  4. Install some sort of WordPress security plug-in into your WordPress website, such as WordFence (www.wordfence.com).
  5. Ensure that your own PC (the computer you log into WordPress from) has a good anti-virus program, and that it's running and monitoring your computer.
If you don't know how to do any of these things, please contact your website developer.  Please do this as a matter of urgency.

If it ever turns out that your WordPress website has been compromised, your hosting account will be instantly suspended, which will take your website AND emails offline.