There is a new vulnerability in older versions of WordPress and Drupal that will allow a denial of service attack to a server that will cause the memory and CPU resources to max out. This vulnerability has been corrected in the latest versions of the software packages, but users of earlier versions are vulnerable and need to take immediate action.
If any sites you are maintaining run less than WordPress version 3.9.2 or Drupal 7.31, these versions should be patched immediately.
Starting with WordPress 3.7, automatic updates have been turned on and you should utilize this service. It still requires manual intervention to get started.
If you have installed WordPress on your site, please take a minute or two to ensure your site is protected against attacks like this one. Here are some basic security tips:
- Change both the admin username and password: By default, the administrator login name is set to “admin” – and most brute force scripts have this ID and some basic variations (e.g. administrator, root, test, etc…) hardcoded as the IDs they attempt to break into. Change the username for your administrator account to something obscure.
- Have a strong password: You know the drill: more than 8 characters, letters and numbers, no English words, no dates, mixture of capitals and lower case. Consider using a random password generator and a secure password manager to store it so you don’t have to memorize it.
- Install a security enhancing plug-in: The core WordPress application lacks some basic security features, such as the ability to limit the number of failed login attempts. Fortunately, you can add functionality like this via some popular plug-ins:
- Bad Behavior: http://wordpress.org/extend/plugins/bad-behavior/
- Better WP Security: http://wordpress.org/extend/plugins/better-wp-security/
- Limit Log-in Attempts: http://wordpress.org/extend/plugins/limit-login-attempts/
Drupal does not offer automatic updates at this time. To keep current with Drupal updates and vulnerability notifications, subscribe to https://www.drupal.org/security.
HostMySite always recommends keeping software, plugins, and any other applications you have installed on a server, shared, VPS, Cloud or dedicated, up-to-date for security reasons.