WordPress web sites are becoming more and more time consuming on a weekly / daily basis to keep up with the following items:
1. Plugin Updates (Careful use of any plugin)
2. Regular Scheduled Backups (Weekly / Monthly)
3. Proactive Security Updates ( WP Security Scan)
4. Performance Optimization
5. Malware prevention / cleanup & Performance Scans ( WordFence )
6. Uptime Monitoring
WordPress websites needs continuous monitoring, maintenance and upgrading so that it can give optimum performance and stay safe from the hackers. But if your website is destined to be doomed someone should be there to restore the site from clean/latest backup.
Websites aren’t paintings that you hang up on the wall after they’re complete; they are an investment that needs to be looked after to keep the positive ROI.
With WordPress maintenance, I am pledging time to be your client’s website “bodyguard.” If anybody messes with your business, I’m going in there, guns blazing. Otherwise, you’ll sit quietly in the corner, keeping one eye shut and the other on the door.
Yes, this is different than regular ‘site maintenance‘, which has been outlined in your contracts. ‘Site maintenance’ has been focused on making changes to content / images on your current pages. Changes prices, changing content, adding fresh news are all examples of your existing ‘site maintenance’ agreement. WordPress Maintenance deals with security, backups, prevention and keeping up with various plugin updates.
Security is one of the most important aspects of running a website these days, as there truly are a lot of malicious people out there that can and will try to target your website (whether to try and steal your data, use your PC for a DDoS, or a number of other reasons known only to them).
WordPress web sites are constantly being hacked, or rather are ATTEMPTED to be hacked on a daily basis. WordPress security is all about proactivity. You know what they say, an ounce of prevention is worth a pound of cure, especially on the web. Most WP attacks initiate from Russia, China, France, India, Ukraine and the good ol’ USA.
What does “Secure” actually mean in Chrome browser?
In order for a website to be labeled as ‘Secure’ by Chrome, it needs to set up SSL on its web server. As part of that process, it needs to contact a certificate authority (CA) to get a ‘certificate’. The CA is supposed to verify that the website owner actually owns the website. This process is called ‘domain validation’. Other than verifying that the domain owner actually owns the website, the CA is not required to do anything else.
In Chrome, when you see “Secure” in your browser location bar, it means that the connection between your browser and the website you are connected to is encrypted. It also means that the person who installed the certificate on the website actually owns the site domain. It does not mean that the domain is “Trusted”, “Safe”, “Not malicious” or anything else.
LetsEncrypt is providing valid SSL certificates to phishing sites
Until relatively recently, CAs would generally not issue an SSL certificate to a site that is obviously trying to pretend it is apple.com or microsoft.com. However, there is a new CA called LetsEncrypt which issues free certificates to websites who want to use SSL.
Even if a CA revokes a certificate, Chrome still shows it as “Valid” and “Secure”.
It turns out that this certificate has been “revoked”. What that means is that Comodo, the CA in this case, realized that the certificate belongs to a malicious website after they issued it and they decided to mark it as invalid.
Because Chrome does not check certificate revocation lists in real-time, it shows the certificate as valid in the location bar and the site as “Secure”. Chrome is unaware that Comodo has revoked the certificate after Comodo realized they should not have issued it in the first place.
What should you do to ensure you stay safe on the web?
The best way to protect yourself against malicious sites, in this case, is to check your web browser’s location bar and read the full website hostname that appears there.
Look at the location bar above. You should see ‘https://www.wordfence.com/….’. When visiting any website that you plan to exchange sensitive data with, check the full hostname after ‘https://’ and before the next forward slash. If you don’t recognize it or if it looks like it has some weird stuff on the end, close the window immediately and think carefully about how you ended up on that website.
Brute Force Attacks on WordPress in February 2017
As you can see we experienced a huge spike in brute force attack activity this February starting at approximately February 20th and sustaining until the end of the month. As a reminder, these are simply login guessing attacks. Wordfence blocked an average of 30 million brute force attacks per day across the websites that we protect in February. This is an increase from the 26 million attacks per day average we saw in January.
Attacks on Themes for February 2017
Once again we are not seeing much change in the rankings in the themes that are targeted for attack in WordPress. mTheme-Unus | ChurchOpe | Lote27 | Authemtic | Echelon | Elegance | Awake | inFocus | Dejavu | Persuasion | Fusion | Construct are the MOST attacked.
Attacks on Plugins for February 2017
Our biggest gainer among attacked plugins in February is wp-pagenavi which gained 28 places. Attackers occasionally install fake versions of this plugin once a site is compromised. These may be attempts by attackers to access a fake plugin as part of a check to see if a site has been compromised. These are blocked by Wordfence. – WP-Symposium, WP-ecomerce-shop-styling, recent-backups, candidate-application-form, wptf-image-gallery, wp-mobile-detector are the MOST attacked plugins.
Attacks by Country for February 2017
Russia, US, France, Ukraine, Turkey, Netherlands, India, Chine, Germany, Italy are where most attacks are initiated.
That concludes the attack report for February 2017. I hope this has given you a clear picture of the threat landscape that confronts WordPress currently. In this report the new topology analysis we included has provided unique insight on how threat actors spread themselves across countries and hosting providers.
We saw a huge spike in brute force attacks in February and an average drop in the number of complex attacks. There was little change in the attacked themes and some change in the plugins we are seeing targeted.
(From Airtable) Most Active IPs
In the table below we have listed the most active attack IPs for December 2016.
220.127.116.11 31.8 – Ukraine
18.104.22.168 12.4 – Russia Phoenix
22.214.171.124 6.3 – Ukraine
126.96.36.199 6.0 – Russia Petersburg
188.8.131.52 5.6 – Ukraine Kyivstar
184.108.40.206 5.5 – France
Complex Attacks vs Brute Force Attacks
A brute force attack is a password guessing attack that is simplistic and has a low likelihood of success. At Wordfence we consider a ‘complex’ attack to be an attack that tries to exploit a vulnerability in WordPress or a WordPress plugin. If you are using Wordfence to protect your WordPress website, brute force attacks are blocked by our brute-force protection and complex attacks are blocked by the Wordfence firewall. The top two IPs, one in Ukraine and one in Russia, are both using complex attacks to target WordPress websites.
Brute Force Attacks
If you recall our post on December 16th where we described a “Huge Increase in brute force attacks in December“, we saw a marked increase in the number of attacked sites starting in late November.