WordPress sites under attack. Please read.

There is a very bad and very brutal attack happening right now to WordPress based websites. Please read about this here: http://arstechnica.com/security/2013/04/huge-attack-on-wordpress-sites-could-spawn-never-before-seen-super-botnet/

This is a very serious issue and it requires taking action to safeguard your WordPress sites. We highly recommend you take the steps below. Please consider ALL of the websites you have – some of you may have one WordPress site, and some may have many. These steps should be taken for all sites.
1 – Install and activate the “Limit Login Attempts” plugin. This will keep malicious bots from trying repeatedly to access your site by trying password after password.
  • Go to your dashboard
  • Go to plugins > add new > search for “limit login attempts”
  • install and activate this plugin
  • Go to settings > limit login attempts
  • Check the settings. Either leave the defaults or change as desired.
2 – Make sure your WordPress username is not “admin”. To do this, log in to your dashboard, go to users, and look through the usernames for the default username “admin”. If it is, this will need to be changed.
To change the username:
  • Go to your dashboard
  • Go to plugins > add new > search for “admin username changer”
  • Install and activate this plugin
  • Go to the left hand navigation of the dashboard. Toward the top, it should say “Admin username”. If you click on that, you can change the admin username to something other than “admin”.
  • Once you have changed the username, you can go back to plugins and deactivate this plugin as it is no longer needed. Please note you will use your new username in place of “admin” to log in.
3 – Make sure your passwords are STRONG, and change any weak WordPress passwords. Please do this for ALL of the users that contribute to your site.
  • Make the password at least eight characters long.
    A longer password means it’s harder for someone to guess. 12 or 16 characters is even better.
  • Use a mix of upper and lower-case letters.
    Passwords are case-sensitive, so alternate your caps occasionally throughout the password to increase its strength.
  • Throw in some numbers—especially in the middle.
    Numbers at the beginning or end of a password are easier to guess or crack than those stuck right in the middle.
3 – Consider signing up for Vaultpress
You can use http://vaultpress.com/ to safegaurd your site and allow you to restore your site easily if something happens to it. Adding it is pretty straightforward and their help is pretty helpful though there are sometimes delays. This is not free. There is a fee per site, per month. We believe this is worth the expense as rebuilding your site will be more costly and painful than setting this up and paying for it. If there are things in the setup you do not know the answers to, like your FTP username and password, contact your hosting company. Vaultpress requires that you have a wordpress.com username and password – this is different than your dashboard username and password – and you may need to set up a fresh wordpress.com account. That username and password will be important, so be sure to keep track of it.
4 – If you don’t set up VaultPress, at least back up your database (if you don’t already know this is happening). This is not as good as using a service like Vaultpress that backs up your whole site. This method just backs up the *content* and the settings, not the images and the look of the site.
  • Go to your dashboard
  • Go to plugins > add new > search for “wp-db-backup”
  • Install and activate this plugin
  • Go to tools > backup
  • Check all of the tables in the database and download a copy of the database to your hard drive so your site backs up now
  • Then, under “Scheduled Backup”, set the site up to email you a copy of your database at a set interval (depending on the frequency with which you change the content).

NOTE: The scheduled backups don’t work on all hosting and don’t work if your site is too huge, so after backing up to your hard drive and setting the schedule, you will want set a note in your calendar to see if the scheduled backups come in. If they do not, log back in periodically and download a backup of your own.

There is another plugin referenced in the article noted above called “Better WP Security” that requires more advanced setup. If you feel comfortable to install and configure it, you can, but it allows you to change very technical settings that could easily break your site. Do this with caution.