WordPress Sites Being Attacked – How to Protect Yours

A widespread attack is going on around the internet, looking for and compromising WordPress based websites. The attack method is fairly unsophisticated, but is quite powerful because of its breadth. Protecting your site against this attack is not particularly difficult, although that might change if it becomes more sophisticated.

The method of attack attempts to log in to WordPress using the username “admin”. The machines doing this assume that the username “admin” exists and then perform a “dictionary attack” which just means trying all sorts of passwords from a very large index of possible passwords until it finds one that works. The dictionary here is not the actual dictionary, but a metaphorical one that includes all real words, plus many variations and combinations with numbers and symbols thrown in as well. Dictionary attacks are very basic, but also very effective and they are the reason it is so important to use good, strong passwords.

Once a person is able to log into WordPress as an administrator they have full powers and privileges and can use the machine that hosts your website do pretty much anything they want it to do, such as to turn around and attack someone else’s machine. One thing that is known about these attacks is that they come from over 90,000 ip addresses which could mean they have compromised that many websites.

So what’s the solution?Read More

Java Security Issue

The U.S. Department of Homeland Security issued a recommendation that everyone who can, should disable Java (not Javascript, which I wish people would not disable).

It’s an interesting story because it is only the second time the DHS has asked people to remove/disable software. The previous time being a version of Microsoft Internet Explorer (big surprise, right?), until it was fixed. Java has a long storied history which I went over a little in my post Why So Many Programming Languages?. It seems most people who use Java aren’t aware they are using it.

It’s relatively rare to come across a website that requires Java. I’ve run into it the most when a video wanted to play and Chrome asked me if I wanted to give it permission. I don’t know why anyone is using Java for this purpose when there are so many lighter alternatives available. For the time being, if you run across one of these the prudent thing to do would be to deny the website permission because even though you may trust the website you are visiting, you can’t know if they have been compromised.

What I’m interested in with this mess is, what it will do to the Java brand? Until today, many people were unaware they were using Java at all, so now they are being hit with this message of the Department of Homeland Security says your computer may be vulnerable because of a piece of software called Java that you didn’t even know you were running, and we don’t have a fix for it yet.

Despite once being on the brink of extinction when it failed to take hold in the browser, Java is still important. If you have an Android or a Blackberry phone, you use it everyday- all of your apps are built on it. But as far as I can tell from what I am reading, you’re probably pretty safe. I don’t know the technical details on this particular vulnerability, but Android apps run in a very tightly secured environment (each runs as it’s own linux “user” under the Android operating system), so it’s likely they would be stopped before doing anything too destructive.

Update: Oracle has posted what they are calling a “fix” to the Java problem, but security experts are skeptical. ZDNet says it will be about two years before Oracle gets the security issues solved. My prediction is this will be the end of Java in the desktop browser. My new questions is, will we soon be calling the unrelated language, JavaScript, by it’s more technically accurate, but clumsier name “ECMAScript”?