Posted on 5 Comments

WordPress Brute Force Attack Advice

None of us can sit totally on our laurels and think we’re safe from any hack on any website.

The hackers don’t care if we’re large or small, they just want to use our webspace.   There’s been a lot of talk about what to do to protect ourselves from Brute Force attacks, and while we can do as much as we can, I don’t think it’s possible to protect ourselves from everything.

If we’re attacked by a botnet of about 90,000 addresses to choose from, we do need to try and do something to mitigate the risk to our blogs.

WordPress itself has done a lot of work to help us with this, and Matt Mullenweg who is the creator of WordPress has released a statement that outlines a fix we can all use to help ourselves.

What he said is more of less that WordPress 3 allows us to use custom names when we install our blogs and that we should be changing the default “Admin” username.

He said:

 “Almost 3 years ago we released a version of WordPress (3.0) that allowed you to pick a custom username on installation, which largely ended people using “admin” as their default username. Right now there’s a botnet going around all of the WordPresses it can find trying to login with the “admin” username and a bunch of common passwords, and it has turned into a news story (especially from companies that sell “solutions” to the problem).

Here’s what I would recommend: If you still use “admin” as a username on your blog, change it, use a strong password, if you’re on turn on two-factor authentication, and of course make sure you’re up-to-date on the latest version of WordPress. Do this and you’ll be ahead of 99% of sites out there and probably never have a problem. Most other advice isn’t great — supposedly this botnet has over 90,000 IP addresses, so an IP limiting or login throttling plugin isn’t going to be great (they could try from a different IP a second for 24 hours).”

Looking at his advice, he recommends changing any username from admin to something else and making our passwords stronger.  If Admin is the weak link, then change it we must.   The admin login is set when we set up our blogs, and changing it is actually really easy.

I do have a login limiting plugin with Wordfence which I like, but it clearly isn’t enough on its own.

To Change your Admin username, or make a new one, simply follow the instructions.

Username 1

  1. Login as your Admin User Account.
  2. Make sure your WordPress version is up-to-date.
  3. Click Add New on the User tab in your dashboard.
  4. You will need a new e-mail address to set up a new user.
  5. Choose “Administrator” as the Role.
  6. Don’t choose a username that you are known by elsewhere.  For me, choosing Lesley as a username would be weak as it’s my name and it’s on my blog for anyone to find.
  7. With your password, choose a difficult one with a mix of letters, numbers, symbols and both uppercase and lowercase letters.
  8. Don’t click to send the password by e-mail.  The fewer places it goes online the better.
  9. Click “Add User”.
  10. Logout of your Admin Account and login as your new user.
  11. Go back to your User tab in your dashboard and click “All Users”
  12. Go to the Admin User and Hover above the name.  You will see the option to edit or delete.  Click to delete.
  13. It will give you the option to attribute all posts by the Admin User Account to another username.  Choose your selection.
  14. Click “Confirm Deletion”.

That’s all you have to do to help keep your website a bit more safe from the Brute Force attack.   If your logins are weak or easy to guess, go change them as fast as you can.





Posted on 25 Comments

Sponsored Posts & Reviews Using Free WordPress Blogs – Not Allowed

I was asked  a question today so I thought I should look up the answer quickly.  It was a simple one and as I’ve never used the free blogging platforms, it’s not one that I had paid any attention to in the past.   All she wanted to know was if it was within Terms and Conditions that she could accept sponsored posts on a blog.

I know there are plenty of people out there who have taken the risk of using freebie blog hosts to take compensation in goods, services or cash for the written word on the blog, but I didn’t know the actual rules for or against.

Checking against TOS, it seems that it is forbidden to actually take any form of paid posts in sidebars, posts or anywhere else.   Looking deeper in, it seems that people who do flout the rules have the potential to have their blog pulled out from under them at no notice.

I am quite surprised at the complete ban on using blogs in this way, but I’d guess it would be so that they are not responsible as a company for being associated with anything advertised on blogs within their network.   It looks like Google Blogger allows sponsored posts and reviews as long as they don’t breach the content policy, but everyone should check that out for themselves.

The WordPress Terms and Conditions on Advertising clearly say that sponsored posts on WordPress . com, (or paid posts) are NOT allowed.  Moderators on their forums have cleared up that payment via goods or services, eg by doing reviews are also part of the prohibition although that doesn’t seem clear in the Advertising Terms and Conditions.

So, pretty much, a lot of parent blogs accepting freebies on the free blog software are doing so against the Terms and Conditions of the hosting companies.

I think I’m glad I took my blog down the self-hosted route when I changed the name to Scottish Mum.  At least I don’t have to worry about my blog disappearing if I upset someone and they report my blog.

In answer to the question I was asked, we’ve shelved the free WordPress option and I’m in the middle of setting my friend up as self-hosted blog.

Being on a free platform might be nice, but the risk is too great for her and we found a great little host that supports the self hosted version of WordPress and will allow sponsored content from the start.  She gets webspace, and WordPress support with her own domain name for about £16 a year.  It’s not an advert for them so I’m not going to post their name here, but if anyone wants to know it – send me a message as it’s been very reliable for my husbands work website.

To be clear, these types of posts are NOT allowed on the FREE WordPress blogging software option.

  1. Ad – Sense Ads Unless Placed by WordPress themselves.
  2. Sponsored or paid posts.
  3. Affiliate or referral links.
  4. Clickthroughs or MLM networking.
  5. Sponsored Content. (I presume this means reviews where a product is the payment)

If you are in any doubt, contact WordPress support to see where you stand.

Post amended after comments on Twitter about Google Blogger allowing sponsored content.