Wordpress attacks, and new security policy

Fri, 8 Aug 2014

This email is for all Virtual Creations clients that have a WordPress website hosted on our servers.  If you do not have a website, or your website is not hosted on our servers, or your website was not built using the WordPress platform, you can disregard this email.  If you don't know what platform was used to create your website, then please ask your website developer.
If you have a WordPress website hosted on the Virtual Creations servers, then you MUST read this email thoroughly - it is relevant to you!
As you may or may not be aware, WordPress is becoming an increasing target for hackers worldwide.  They hope to exploit some security loophole in the WordPress code (or the code in a WordPress plug-in or theme) and implant some malware, which they can then use to send out spam emails, capture credit card details, etc.  Right at this very moment there is a plague of attacks going on around the world, on most WordPress websites.  The hackers are typically using "brute force" attacks, which simply means they are trying to guess the administrator password by guessing thousands of random passwords, and hoping that they guess right.  On our own server, many WordPress sites are being constantly hammered in this way.  I checked just now, as I'm writing this, and saw several attempts every second!
In the past week, three of our sites were in fact compromised.  We discovered this quite soon, and took steps to remove the malware.  Those sites are now operating normally.
Even one such successful attack can be quite costly for us - not only in terms of the several hours we spend mitigating the damage, but also in the lowering of our server's spam-free reputation in the global databases.  For this reason, we are now implementing a strict WordPress security policy, putting the onus on you, the website owner, to ensure that your WordPress website is as protected as it can be against such attacks.
What you need to do
If you have not already done so, please read the following security bulletins.  We sent these out a few months ago:
If you have not already done so, we STRONGLY advise that you follow all the steps in these bulletins, including installing the two plug-ins mentioned, and then logging into the back-end of your WordPress website REGULARLY (around once a week) and ensuring that WordPress and all its plug-ins and themes are up-to-date.  Thankfully, that last part takes only  a few seconds.
You need to do this for EVERY WordPress website that you operate from our servers.
Several of you have already done this, and we appreciate it.
WordPress Security Service
Virtual Creations has recently begun offering a WordPress security service, whereby we secure your site as described in the bulletins above.  The cost for this is a one-time fee of $50 + GST.
We can also keep your website up-to-date, by regularly logging into your website and updating any out-of-date plug-ins or themes, or WordPress itself.  This service costs $50 + GST per year.
Please let us know if you would like us to do either, or both.
Some of our clients are already using this service.  If you're one of them, then there's nothing you need to change.
What Happens if Your Website is Compromised
If your website becomes compromised by hackers, we will now do the following as a matter of procedure:
  1. The hosting account will be immediately suspended, which will take your website AND emails offline (unless your emails are hosted elsewhere, such as a Google Apps/Gmail service).  This sounds drastic, but the compromised accounts are usually in the process of sending out thousands of spam emails.  Such emails will get our server blacklisted if left unchecked.  Not to mention that a compromised website is a threat to the security of the other accounts on the server and the server itself.
  2. We will examine your website to see if you have any security plug-ins installed, and whether all your plug-ins and themes (and WordPress itself) are up-to-date or not.
  3. We will notify you via email or telephone
  4. We will coordinate with you a time that we will unsuspend your account so that your website developer can log in and repair the damage.  It's possible that your website was in fact developed by Virtual Creations, in which case you are welcome to engage us to clean it.  Your website and emails must remain suspended/offline until such time.
If your website has been kept up-to-date in the manner advised in our bulletins (above), either by our security service or by yourself, then there will be no cost involved to unsuspend your account.  If, however, your website has NOT been kept up-to-date (in other words, you've disregarded this email), we will charge you $120 + GST to unsuspend the account, payable BEFORE we unsuspend the account.
Once the account is unsuspended, your are welcome to clean it yourself, if you know how, or engage your developer (or any other third party) to do so.  If you would like Virtual Creations to do so, we will charge $120 + GST per hour.  If you are already using our security service, you will get 50% off, so that it will only be $60 + GST per hour.
Please take this seriously.  Failure to do so could see your website/emails go offline for some period of time, and cost you money to get sorted out.
I apologise if this email, or the new policy herein, seems harsh or onerous.  I assure you that it was not an easy decision for me to go down this road.  But I've spent WAY too many hours removing malware from hacked accounts, and contacting blacklist databases trying to get our server de-listed, and sorting out alterative mail configurations for people trying to send emails after our server has been blacklisted.  I now need my clients to shoulder some of this responsibility.  WordPress is a wonderful platform - not least because it's free - but it's not without its drawbacks, the largest of which is its security vulnerabilities.  If you've chosen WordPress for your website, these drawbacks may be starting to become apparent.
Please contact me if you have any questions about any of this.
Thanks for reading,
0411 170517
02 8005 4277