≡ Menu

Sudden Surge in WordPress Hacking Attempts

Yesterday (10 Feb 2014), our friends at Wordfence, the WordPress security specialists, detected a large scale attack against WordPress based websites across the globe.

The attack is a distributed brute force attack – which means an organised effort to compromise websites by repeated and automated guessing of passwords.

With around 20% of the world’s website thought to be built on the WordPress platform – and a popular choice for many small business sites – this is a significant threat.

We’ve noticed a surge in attempts to compromise some of our sites and those of our customers – all thankfully blocked by the security measures in place.

To give you an idea, here’s a screenshot from one of our sites. It’s a new site, without any significant content – so we hadn’t tightened the security down as much as normal. Yet, even with basic measures in place – we stopped (in the end) over 50,000 attempts to breach security.

Wordfence Security Snapshot

If your site is built on WordPress – you need to make sure it’s secured. There are many more complex strategies to
beef up security – but here’s our recommended top five must do’s:

1. Get rid of the user called Admin

Out of the box WordPress installs with a default user named Admin. Hackers know this and many attacks use Admin as the user name when trying many permutations of password. If you still have Admin as a user – you’re doing half the hacker’s job for them – Get Rid of It! [Here’s How]

2. Use Strong Passwords

The more complicated the password the harder it is for a hacker to crack.
Having a simple password might be easy for you to remember – but you’re leaving your site vulnerable to attack.

Passwords should contain a combination of upper and lower case letters, numbers and symbols and be at least eight characters long. (I use at least 12, mainly 16)

You can use a Password Manager application such as LastPass to securely store and keep track of your passwords – or you can adopt my ninja password memory trick – for instant recall of secure passwords for any of your sites.

3. Install Security Plugins

One of the great things about WordPress, is that is can be enhanced and expanded with a plethora of third-party add- ons called Plugins.

There are a number of security related plugins, but the one I prefer and install on all our sites comes from WordFence. There are both free and paid versions and it will help protect your site from all sorts of nasties.

The second Plugin I recommend is called “Stop User Enumeration”. Even when you get rid of the Admin user, a hacker can still easily discover the usernames in use on your WordPress site. This plugin is designed to prevent them being able to.
Edit: Current versions of Wordfence now prevent User Enumeration too.

4. Backup your Site Files and Database

This is just common sense – rather than security specific advice – but you’d be surprised how many websites are not backed up properly. Your host may back up the entire server in their data centre – but if something happens to your site – how long will it be before they can restore it?

If you are unfortunate enough to have your site hacked – having a clean backup ready to restore once the breach has been resolved can have you back up and running again in minutes.

5. Keep up with the Housekeeping

The WordPress platform is constantly evolving and being updated. What was current when your site was built is likely out of date by now. If nobody is keeping it up to date, you’re leaving yourself open to any security vulnerabilities that have been identified and fixed in later versions.

I deliberately put Updates after Backups in this list. Sometimes things break when they’re updated, and can render your site useless. If you have a backup – you can generally roll back to the last known good version.

These are just the basics – but they’re infinitely better than leaving your site wide open!


Using social media for your business is all about interaction, yes?

Responding to your fans’ comments and posts, posting relevant and timely content and so on.

But – keeping a constant feed of posts going on your page is hard work – and takes a lot of time.

Facebook already allows you to schedule posts in advance – which is very handy. You can put together status updates, photo and video posts for a week or a month and have the publish to your page as and when you want them.

It’s still hard work though, as you have to manually create every post, upload every photo, and then click in the drop down boxes to set the date and time for every post.

You could use tools like Hootsuite to help automate the process – but when your posts are published, tools like that have a tell-tale caption in the post, like “…Via Hootsuite”. This lets your fans know that you used an automated tool, and that you’re not “actually” posting it.

Have you noticed that if you use the Facebook scheduled post, that tell-tale tag doesn’t appear?

In this video, you’ll see our FB Scheduled software in action. With this tool you can schedule literally hundreds of updates in just a few clicks – with no tell-tale banner.

You can post text-only status updates, links and photos too. The photos don’t even have to be on your PC – you can grab them from anywhere on the internet.

You can schedule out regular updates, event reminders, funny-photo-of-the-week posts – or whatever else takes your fancy.

This means you have the time to reply to your fans and post ocassional live status updates, whilst the “bread and butter” posts are happening automatically.

Find our more at http://www.outsmarketing.com


Our friends at Wordfence.com have announced 16 security holes in WordPress Themes and Plugins that have been evidenced in the last week:

We are seeing exploits in the wild appear within the last week for the following WordPress themes and plugins . If you are running any of these themes or plugins, check if there is a recent security update and install the update, or remove the item from your system if there is no security update. If you’re unsure, contact the theme/plugin developer or vendor.

Cubed Themes version 1.0 to 1.2.
Remote file upload vulnerability. Distributed by themeprofessor.com. Exploit released on 9 November 2013.

Army Knife Theme, unspecified version.
CSRF File Upload vulnerability. Theme is distributed by freelancewp.com. Exploit released 9 November 2013.

Charcoal Theme
CSRF File upload vulnerability. Distributed by the official WordPress repository. The theme hasn’t been updated for several years, so we recommend deleting all files from your system.

WP Realty Plugin
may contain an email sender vulnerability. Please contact vendor for clarification. We’re seeing exploits that claim to exploit this hole. Plugin is distributed by wprealty.org.

The following themes distributed by orange-themes.com appear to contain a remote file upload vulnerability and we’re seeing exploits appear in the wild, all published around November 12, 2013: Rockstar Theme, Reganto Theme, Ray of Light Theme, Radial Theme, Oxygen Theme, Bulteno Theme, Bordeaux Theme. Please contact the vendor to find out of your theme is applicable and what action to take.

Amplus Theme version 3.x.x
contains a CSRF file upload vulnerability. We’re unclear who the vendor is, but it appears to be Themeforest.

Make a Statement Theme version 1.x.x (also known as MaS ) contains a CSRF file upload vulnerability. Exploit distributed November 17, 2013. Vendor is themes.mas.gambit.ph.

Dimension Theme, unspecified version
, contains a CSRF file upload vulnerability. Theme is distributed by ThemeForest. Exploit appeared November 17th, 2013.

Euclid Version 1
Theme contains a CSRF File Upload Vulnerability. Exploit appeared today. Theme is distributed by FreelanceWP.com.

Project 10 Theme, Version 1.0.
Remote file upload vulnerability. Distributed by ThemeForest. Exploit appeared today.

Please remember: Deactivating a theme or plugin with a security hole does not make it safe. You need to remove all files from your system to remove the security hole in a theme or plugin. If your theme or plugin is listed here, don’t panic. First contact your theme or plugin author or vendor. Work with them to determine if your particular version contains the vulnerability we’ve publicized and get their advice on what action to take. If they are not contactable after a reasonable amount of time, work with your hosting provider or site developer to determine if you have a vulnerability and what action to take.


Our friends at wordfence.com have flagged an issue with WooCommerce.
It appears that there is a vulnerability that could allow an attacker to create a website that could steal a WooCommerce administrator’s cookies when they visit that site,  and allow the attacker access the target site with admin privileges. Evidence of exploits have been seen in the last 48 hours.

The vulnerability is in WooCommerce version 2.0.17 which is the current version, still being distributed.
An updated minor release version 2.0.18  is expected to be released either later today or tomorrow. Users are advised to upgrade immediately once WooCommerce 2.0.18 is released

We’ve also been told of  a vulnerability in versions of WP Awesome Support plugin. that could allow an attacker to upload any file to your system. Since the last update to this plugin was on 14 September 2013 – it seems that this vulnerability exists in the current version.

Lastly, there is also an arbitrary file upload vulnerability in the current version of the Magnitudo theme in the wild, so please contact the vendor for a fix. The theme was last updated in April of this year.  An exploit for this is being actively distributed. Google for details.



Fighting in the trenches

It’s almost a cliché now: “Work on your business instead of in your business”

If that’s new to you – it’s quite an eye opener. The idea that as business owners, we’re so involved in everyday execution that we don’t spend time to work on the strategy and tactics that will drive our businesses forward.

Michael Gerber’s classic “E-Myth” books teach how to document business operations into systems – so that the day to day running of the business can be outsourced or delegated – allowing the business owner to concentrate on marketing and innovation.

Not all businesses are ready for outsourcing or delegation – but putting aside at least a few hours a week solely to work on your business is a good start.

But here’s an interesting observation…

Even when business owners are prepared to let go (at least in part) of daily execution – the ‘technician’ role as Gerber describes it – they often fall into the same role working on their business.

Working on your marketing is imperative; but for many business owners that manifests as trying to build their own website, learn how to manipulate code, configure email auto-responders and make all the technical aspects of the online and offline marketing work effectively.

They immediately submerse themselves at technician level, fighting in the trenches instead of planning the battle.

Perhaps some of this is due to the cost of hiring outside help. But is it the cost, or the price that’s the problem?

What’s your own time worth per hour?
What’s the Lifetime Value of a customer?
What does it cost to acquire a new customer?

If you can’t answer these questions – I’ll bet you’re in the trenches too.