Bottom line: To protect against a new kind of attempt to hack into WordPress sites, use software that will detect and stop these attempts. We can install and set up a software package that is free, so you pay for only our time (about an hour). All WordPress sites that lack security software are vulnerable. All sites (not just WordPress) should have passwords that are nearly impossible to guess.


There’s a new kind of brute-force attack, and it doesn’t involve clubs, nunchucks, or dynamite. The target is a function within WordPress that goes by the alphabet-soup name “the XML-RPC service.” Attackers use that service to find a site manager’s password. From there, they can do anything they want: break the site, send out spam, conduct identity theft, even launch attacks on other Web sites. If you have a WordPress site, you may be vulnerable (most are).

Fortunately, there is protection against this kind of attack.

Awhile back, hackers broke into the WordPress site of one of my clients and created a set of hidden pages that tricked users into entering their personal information (passwords, etc.), then transmitted that information to the hackers. We found and deleted those pages and the programming that ran them, and we changed all the passwords related to that site, but we needed to also ensure the hackers wouldn’t find a way in again and start their criminal activity all over.

The site’s hosting company wanted to sell us an expensive security package. Our WordPress expert advised that a free alternative, Wordfence, would be just about as good, while saving our client significant money.

So, what is this thing called a "brute-force attack"? How does this relate to the XML-RPC service? How do I protect my site from it? And if I don’t have a WordPress site, am I still vulnerable?

A “brute-force attack,” in Internet terms, is where automated software tries to guess your log-in password, making hundreds, thousands, or millions of attempts in rapid succession. The software may simply go through various combinations of letters, numbers, and words; a more-sophisticated version may scan your Web site looking for clues (e.g., a particular name appears repeatedly, so the software guesses you’ve incorporated that name into your password).

The new “XML-RPC” attack uses a function within the WordPress system to vastly multiply the number of guesses the hackers can make while reducing their chance of detection. Basically, it allows the attacker to send many guesses in a single command, so many more attempts can be tried in a short period of time. Moreover, some protection software might not notice how many attempts are being made, because hundreds or thousands can be “bundled” together and the software sees only the number of bundles, not what’s inside of them. (A somewhat-technical explanation of how this attack uses XML-RPC may be found here.)

One way to protect against this particular type of attack is to disable the XML-RPC function. However, this function may be needed by your site’s plug-ins (software that extends the functionality of WordPress, such as Contact Form 7 to create feedback forms on your site), so XML-RPC should be disabled only if you are sure you don’t need it.

Another way to defend against this kind of attack is with software that will block the hackers’ log-in attempts. After our client’s site was hacked, we installed a WordPress plug-in called Wordfence. Wordfence stops users from logging in after a certain number of failed attempts. It also monitors where the attacks originate and will block specific Web addresses or even countries. (Our client’s site has been attacked frequently from France. Since the only people allowed to manager her site are in the U.S., we are fine blocking log-in attempts from abroad.) These are all customizable settings.

Wordfence protects against the XML-RPC attack because it isn’t fooled by the attackers’ effort to hide how many log-in attempts they are making. It “sees” 1,000 attacks whether they come via 1,000 individual commands or are all hidden within a single XML-RPC command.

If you would like us to ensure that your WordPress site is protected against this kind of attack, let us know. We’ll see whether you already have protection installed, and whether it guards against XML-RPC attacks. If necessary, we can install and set up Wordfence. The cost would be under $100.

The number of XML-RPC attacks is rising dramatically, and probably will continue to do so: As hackers gain access to more WordPress sites, they use them to launch attacks against still more sites. The chart below shows statistics compiled by Internet security firm Sucuri as of a week ago. There were 60,000 attacks on Oct. 7 alone. (Each attack can represent hundreds or thousands of log-in attempts.)

Make sure your site doesn’t become a target — and that it doesn’t get used to make even more victims.



What about non-WordPress sites? Continued below ↓

Source: Sucuri blog entry, Oct. 10, 2015, retrieved Oct. 14, 2015.

What about non-WordPress sites? WordPress is a target because there are so many WordPress sites with poor security, so hackers get a lot of mileage going after them. But any site with a log-in password is vulnerable to brute-force attacks, especially if you use a guessable password. And many people who think their passwords are safe will be surprised: remember, a computer can guess thousands of different passwords per second.

Some tips for secure passwords:

1. Longer is better. Minimum 8 characters (including letters, numbers, and punctuation); Edward Snowden says that’s too short; some others say at least 12. Each additional character multiplies the number of possibilities and lengthens the amount of guessing time needed.
2. Avoid dictionary words, names, or information that’s easy to find about you (birthday, address, phone number, school you attended...). If you can Google your name and the information and find it, don’t use it in passwords.
3. Use a combination of UPPERCASE and lowercase letters, as well as numbers and symbols.
4. If you want to be able to remember your password, instead of words or names, use the first initials. Instead of “ThisIsMyPassword28934” (or “This Is My Password 28934” if you are allowed to use spaces), try “TiMP28934!” (Where “28934” is not something easy to track down. You used to live in area code 289, and moved away when you were 34; that won’t be too obvious.)
5. Don’t use the same password for multiple sites. I don’t use memorable passwords, and I have a different password for every site or account. I keep them in a secure file that itself is encrypted with a strong password. I have set up similar systems for clients, and could help you with that too.

More about secure passwords may be found here. A secure-password generator and software for securely storing passwords may be found here.

More about brute-force attacks may be found here.

Question about domain names posed on LinkedIn, and my response:

Do you recommend a short, easy-to-remember name OR a name that maintains consistency with the branding?
___________________________________

I don’t think there is a “one-size-fits-all” answer to this question. Some factors to consider:

• How do you expect people to reach the site most often? If by clicking a link, the memorability of the Web address isn’t relevant. If by searching, consider the terms your prospect would search: A domain name should be selected that is likely to improve search results. If by hearing about the product or business, the domain name should be related to the name people would most likely hear. If by hearing about the Web site itself, the domain name should be memorable.
  
• How important is the branding, and how important is the Web address in that branding? For Whole Foods, it would be a bad thing if the company didn’t have wholefoods.com as its Web address. For Church & Dwight Co., maker of Pepsodent toothpaste, it doesn’t matter much that the company doesn’t use churchanddwight.com because nobody knows the company name. (I had to look on a toothpaste tube.) However, it is unfortunate that Pepsodent licensee Unilever-Indonesia owns pepsodent.com; one would think the U.S. market is more important for that brand.) If the Web site *is* the service (timeanddate.com), or the service is only online (paypal.com), then the domain name is crucial to branding. Keep in mind that once someone is on your Web site, the domain name isn’t very noticeable unless you draw attention to it (e.g., by displaying it in a logo or text on the page): It appears in the Web-address bar of the browser, which doesn’t stand out much visually, and perhaps in the window title or tab, which also is “outside the margins” of the browser window and therefore not very noticed.
  
• How unique is the product, service, or company, and how unique are the terms people would use to search for it? If it’s relatively unique, you have a pretty good opportunity to show up near the top of search results regardless of the domain name. A search for Dental Chair Manufacturer produces several results that didn’t include the phrase “dentalchair(s)” in their Web addresses. (One that did, sort of — www.midmark.com/products/dental/chairs — came up only fourth in the results.)
  

All of that said, it’s best to avoid confusing users by having a logo or business name that would make them think the Web address is different from what it is. In the aforementioned dental-chair category, take a look at http://www.summitdental.com/. The company emphasizes “SDS” in its logo. But sds.com takes you to a different company. I would recommend changing the logo to emphasize Summit Dental, the words in the domain name; or buying the sds.com domain if the owner would sell it reasonably, then making sds.com an alternate address for the site. (At least sds.com isn’t one of Summit’s competitors.)

I hope these thoughts are useful.

— Steve Freedkin
http://your-attention-please.com

In this message:

• A Few Tips for Internet Security
• Polishing Up Your Web Presence in 2015

Greetings of the season!

I hope you’re having a great time with your loved ones.

During this holiday season, while most people are enjoying time off of work, perhaps travel, and in many cases shopping, a few people are extra busy — including criminals bent on credit-card and identity theft.


Be Safe Online

This is a good time to review a few tips to improve the security of our critical data.

1. Use secure passwords for your online accounts. Avoid passwords that consist of a combination of words and numbers that could be guessed. Your middle name, former street address, and mother’s birthday are not hard to find; a hacker who gets into your e-mail account (Yahoo and some other “freemail” accounts are particularly insecure), for example, might find those pieces of information within your past correspondence, then be able to get into your bank account by trying various combinations of those numbers and words (using software that can try thousands of guesses per second). One way to create a secure but memorable password is to think of a phrase that’s not very common (my friend Joe lives in Idaho), then combine the initials of those words along with a couple of numbers and symbols (m#1fJliI). Not guessable, yet you can remember it.
2. Don’t use the same password for different accounts, or passwords that differ by a guessable pattern (like dogFB for Facebook, dogTW for Twitter). This should apply even to “unimportant” accounts, such as a Yahoo mail account you use only for list subscriptions. You aren’t the only one at risk: People who break into those accounts can use them to launch cyber-attacks on others, as happened recently to the host of several Web sites I manage.
3. If you keep a list of passwords in a master document, make sure that document is strongly encrypted with a secure password (not guessable, contains numbers and symbols/spaces as well as letters, and is longer than 10 characters). You need remember only that one password; all your other passwords will be within that document. File-encryption programs are available for Mac ($6) and Windows or Mac ($30). It is also possible to put your data in an Excel or Word file and protect that document with a strong password, which also encrypts it; however, there are programs that claim they can break that security, which I will be testing soon.
4. Encrypt the file even if it’s only on your computer, though you should have an offsite backup securely stored somewhere: Last weekend my partner’s office suite was broken into by thieves who smashed through a wall to get in(!), and a computer was stolen. You don’t want thieves accessing your list of passwords, nor leaving you without your passwords. Keep that document always encrypted; after you open it, if it doesn’t automatically encrypt on closing, make sure to encrypt it manually, delete the unencrypted version, and empty the trash. (Ideally, empty the trash securely: See instructions for Mac and Windows.)

One of the services I offer clients is to review and tighten up their online security. Let me know if this is of interest to you.


Looking Ahead To 2015

I look forward to helping clients (including you?) create greater success in 2015 by improving their online presence.
For new clients (people who have not previously hired me for work), my rate will be increasing a little more than 7% in 2015. Existing clients will continue to benefit from my 2014 rate for at least the first half of the year.

If you haven’t worked with me yet but are considering doing so, you can lock in the 2014 rate even though we’ll be working together in the near year. Here’s how:

1. Let me know by December 31 that you’d like to work with me, and what work you’d like done.
2. I will get you an estimate as soon as I can (certainly by Jan. 20 if we can sketch out the project[s] by Jan. 7).
3. If you accept the proposal by Jan. 31, I will perform that work at the old rate.

So, if you have some down time before the start of the year, a good way to use it will be to review your online needs — giving you a jump-start on building your success in 2015 (as well as enabling you to lock in my services at the old rate).

Have a great remainder of 2014, and I wish you all the best for the new year!

— Steve