Protect Your Website From This Common Form of Hacking

In the world of website security, your login page can be the most vulnerable part of your website. If you log in with a common username and a weak password, you could be the perfect target for a brute force attack.

What is a Brute Force Attack?

A brute force attack is the most rudimentary form of hacking: it employs bots that try different combinations of usernames and passwords until they find the right one. These are called malicious login attempts and can affect your website’s performance.

Each time a visitor lands on your website, their IP address makes an HTTP request to your website’s server. When bots are constantly visiting your login page in an attempt to crack your password, the number of HTTP requests spikes. All this website traffic will slow down your site, or worse, cause your server to run out of memory.

Secure Login Credentials

Choosing strong login credentials is the first step to better web security — on any site. Change your username from “admin” to something unique. “Admin” might be simple to remember, but it’s also easy to hack. Avoid using passwords that contain a version of your own name or a word in the dictionary. Choose a passphrase with a mix of numbers and letters or use a password manager that will generate secure passwords and save them for you.

If you have Jetpack installed on your site, you can enable Secure Sign On and use the same credentials you use for WordPress.com to sign in to self-hosted WordPress.org sites quickly and securely. You can choose to make this the only way to log in and disable the default login form completely.

Jetpack Brute Force Attack Protection

It’s not just your blog content at risk during a brute force attack. If a hacker successfully accesses your administrator account, your entire server could be compromised. That’s why every Jetpack Protect plan includes protection from brute force attacks, including distributed attacks that use many servers against your site.

When an IP registers too many failed login attempts, Jetpack will block that IP from accessing the login form, quickly limiting HTTP requests before they slow down your site. Your site will be protected, and you can see the number of attacks that Jetpack has stopped with a widget in your self-hosted site’s dashboard.

Next Steps: Compare plans and choose the right one for your site.

Posted in Security Series | Tagged , , | 2 Comments

Understanding the Value of Website Backups

WordPress websites of all sizes rely on web hosts to keep them up and running. However, glitches, malware, and human error can all threaten your site. As a website owner, it’s your responsibility to ensure you have an up-to-date backup of your site at all times.

Protect Against Brute Force Attacks

Your first defense is to block suspicious login attempts with a security plugin like Jetpack that offers brute force attack protection.

A brute force attack is the most rudimentary — and common — form of website attack. In an attempt to gain access to your site, large networks of automated bots try different combinations of usernames and passwords until they find the right one. These malicious login attempts can also affect your website’s performance.

Protect Against Malware and Code Vulnerabilities

Although brute force attacks are very common (and successful), they aren’t the only thing that can jeopardize your website.

Malware — sometimes referred to as “viruses” — can be plugins, themes, and other scripts that pretend to be legitimate products (sometimes actually providing an apparently valuable service). Malware contains code behind the scenes that steals or deletes your data, modifies your links to steal your traffic, or simply breaks your site.

Code vulnerabilities can have a similar effect, but the difference is that they are unintentional. No code is perfect, and sometimes developers write code that contain unknown loopholes that can be exploited by malicious hackers to achieve the same goals as malware.

In both cases, the solution is proper malware protection via an automated security scanning service (similar to an “anti-virus” product) that regularly scans all your code to see whether known vulnerabilities are present or whether modifications have been made without authorization.

Minimize Downtime with a Contingency Plan

Even if you have all the protections described above in place, you should still have a contingency plan for the situations where human error or new hacking techniques compromise your site.

Your contingency plan for accidental damage, malware, and brute force attacks should include daily backups of all of your web content. If anything happened to your site, having a recent and easily accessible backup will ensure it’s up and running again quickly — either by restoring it or by migrating it to another server — thus keeping downtime to a minimum, which most cases could mean loss of income or reduced search engine rankings.

Automatic backup services like Jetpack’s Personal plan make it easy to restore your site in a few clicks. High-traffic sites that generate revenue, like eCommerce, subscription, or advertising sites, should choose the real-time backups offered in Jetpack Professional. (“Real-time” means a current backup is always available and includes an unlimited backup archive, so you can always roll your site back to any point in time since signing up.)

Tie Up Loose Ends with a Personal Touch

Mistakes happen and it’s all-too-easy to accidentally delete a database or compromise your site’s functions while trying to update your files and plugins. If you have access to or can afford to keep a developer on retainer, you should rely on them to update or restore your site.

For most users, however, the personal yet expert support we offer as part of all our paid plans is enough to guarantee that additional peace of mind.

Next Steps: Compare plans and choose the right one for your site.

Posted in Security Series | Tagged , , , , | Leave a comment

A Simple Guide to Choosing the Right Plan for your WordPress Site

Jetpack offers three paid plans that help you take your WordPress website to the next level.

These plans are designed for every type of user or business — whether you’re running your own site or working with a team of developers to help you. Here are a few things to consider when choosing your plan:

Continue reading → A Simple Guide to Choosing the Right Plan for your WordPress Site

Posted in Features | Tagged , , , , , | 4 Comments

Jetpack 4.1: Secure Sign On Improvements, Two New Sharing Buttons, and More

Jetpack 4.1 is here, and it’s packed with performance improvements, new features, improvements to existing features, and bug fixes!

Continue reading → Jetpack 4.1: Secure Sign On Improvements, Two New Sharing Buttons, and More

Posted in Releases | Tagged , , , , , | 16 Comments

Jetpack 4.0.4: Security Update, Bug Fixes and Improvements

Jetpack 4.0.4 is now available for download and includes some important security updates, bug fixes, and improvements. We recommend that you update your sites to the latest version as soon as possible.

Continue reading → Jetpack 4.0.4: Security Update, Bug Fixes and Improvements

Posted in Releases | Tagged , , , , , , , | Comments Off on Jetpack 4.0.4: Security Update, Bug Fixes and Improvements

Jetpack 4.0.3: Critical Security Update

Jetpack 4.0.3 contains a critical security update, and you should update all the sites you manage as soon as possible. You can update through your dashboard, or download Jetpack manually here.

jetpack-security

Continue reading → Jetpack 4.0.3: Critical Security Update

Posted in Releases | Tagged , , | 2 Comments

Jetpack 3.9.2: Maintenance and Security Release

Jetpack 3.9.2 is now available for download. We’ve added two security updates as well as several bug fixes and enhancements. We recommend that you update your sites to the latest version as soon as possible.

Jetpack – Supercharge your WordPress

Security updates

  • Beautiful Math: there was a potential XSS vulnerability when parsing LaTeX markup within HTML elements. The issue was discovered and fixed by our security team.
  • Contact Form: private site credentials could be saved in plain text in WordPress’ postmeta table when said credentials were set to be stored in Environment variables. The issue was discovered by Oliver Liu.

Other minor fixes

This release also includes other bug fixes:

  • Nova Menus: fixed notices as well as issues when adding menu items in bulk.
  • Publicize: Authors can now access their Publicize settings again.
  • Publicize: fixed problems for Australian and Canadian English sites using Publicize to send their posts to Facebook.
  • Embeds: it is now possible to embed Instagram posts using a www in the URL.
  • Widget Visibility: fixed an issue appearing when a page title matched an existing page ID.
  • And many more updates, listed in the changelog.

Enhancements

We added 2 new oEmbed providers, Codepen and Sketchfab. Just paste a URL in your post editor, and enjoy! Here’s a Codepen example:

We also added new filters to allow you to customize the Contact Info widget, define custom patterns to be ignored by Jetpack Markdown, or change the heading of the Related Posts.

Finally, we created a

shortcode to allow you to display the Top Posts & Pages Widget anywhere on your site.

Staging Mode

Do you use a backup / cloning plugin to clone your production site to a staging environment? Starting with Jetpack 3.9.2, you can use a constant or a filter to flag a site as “Staging site”, thus avoid conflicts and synchronization issues with Jetpack.

Thanks to everyone who contributed to 3.9.2:

Alex Kirk, Allen Snook, Andrew Duthie, Barry Abrahamson, Ben Lowery, Bob Ralian, Brandon Kraft, Chris Rosser, Christopher Finke, Claus Colloseus, Crystal Barton, Dan Walmsley, Daryl L. L. Houston, Derek Smart, Elio Rivero, Enej Bajgoric, Eric Binnion, Gregory Cornelius, Igor Zinovyev, James Nylen, Jenia Laszlo, Jeremy Herve, Joey Kudish, Jorge Bernal, Justin Shreve, Kat Hagan, Konstantin Kovshenin, Lance Willett, Mahangu Weerasinghe, Marcus Kazmierczak, Matt Wiebe, Miguel Lezama, Mike Adams, Mo Jangda, Payton Swick, Rocco Tripaldi, Sam Hotchkiss, Sendhil Panchadsaram, Stephen Edgar, Timmy Crawford, and Veselin Nikolov.

Posted in Releases | Tagged , | 13 Comments

Securing your Site with Jetpack

jetpack-security

Website security is important, although it can seem daunting or tedious — it doesn’t have to be. These six simple and effective best practices will help you protect your WordPress website from malicious, unwanted attention (hint: Jetpack can help!).

Continue reading → Securing your Site with Jetpack

Posted in Security Series | Tagged , , , , , , , | 5 Comments

Jetpack 3.7.1 and 3.7.2: Security and Maintenance Releases

With the release of Jetpack 3.7.1 and 3.7.2 this week, we’ve added some important security updates and bug fixes. We strongly encourage that you update your sites to the latest version as soon as possible.

banner-1544x500

In Jetpack 3.7.1 we made a lot of improvements to the plugin, including some important security fixes:

  • Jetpack versions 3.7.0 and earlier are vulnerable to a cross-site scripting vulnerability in the contact form due to improper input sanitization. Reported by Marc-Alexandre Montpas from Sucuri.
  • Jetpack version 3.7.0 is vulnerable to an information disclosure vulnerability in certain hosting configurations. Reported by Jaime Delgado Horna of Listae.

Other notable updates in this release include:

  • Updating the Google+ logo in our sharing buttons.
  • Adding custom capabilities for module management for multisite installs.
  • Fixing a bug that was sending the contact form response fields in the wrong order.

In Jetpack 3.7.2, we fixed an error with the REST API that created multiple drafts and multiple published posts when posting using the REST API.

Full changelog can be found on our plugin page.

Thanks to everyone who contributed to these two releases: Alexander Kirk, Andrew Duthie, Brandon Kraft, Dennis Snell, Derek Smart, Dion Hulse, Eduardo Reveles, Enej Bajgoric, Eric Binnion, George Stephanis, Gregory Cornelius, Igor Zinovyev, James Nylen, Jeremy Herve, Jesse Friedman, Joen Asmussen, Joey Kudish, Kat Hagan, Marcus Kazmierczak, Miguel Lezama, Sam Hotchkiss, and Timmy Crawford.

Posted in Releases | Tagged , | Comments Off on Jetpack 3.7.1 and 3.7.2: Security and Maintenance Releases

Jetpack 3.4.3: Coordinated Security Release

Jetpack 3.4.3 contains a critical security update and you should update your sites and any you help manage as soon as possible.

Background

Sucuri notified us of an issue where improperly escaped URLs were being generated by a number of high-profile WordPress plugins, including Jetpack and Yoast. We’ve worked with the WordPress Security Team to coordinate a release which is being pushed out to all users. By the time we published this post (6pm GMT, April 20, 2015), if you haven’t opted out of auto-updates, your sites will update themselves automatically.

The Vulnerability

The vulnerability Sucuri discovered would allow an attacker to send a WordPress user with administrative rights a link which could execute malicious JavaScript. The vulnerability was introduced in Jetpack 3.0 and to date we have no evidence of this being exploited. However, now that this update is public, it’s more likely that exploits may occur. To avoid a breach, you should update your site as soon as possible.

How to Update

We have prepared and shipped updates to all affected versions of Jetpack. Unless you’ve opted out, your sites should update automatically – please check your sites to confirm that Jetpack plugin has been successfully updated to one of these versions: 3.0.3, 3.1.2, 3.2.2, 3.3.3, or 3.4.3.

If not, please visit the Plugins page in your Dashboard and update Jetpack from there or update all your sites in bulk from wordpress.com/plugins/jetpack.

Note: Not all plugins affected by this issue will be auto-updating, some will be releasing updates separately. For that reason, we highly recommend that you make ensure that all your plugins are up-to-date as updates are released over the next few days.

We also recommend updating any other plugins you may have installed to their latest version – not all plugins will be automatically updating (like Jetpack)

Feedback

As always, we greatly appreciate your continued use and support of Jetpack and we sincerely apologize for the inconvenience this has caused.

We take the security of your sites extremely seriously so please feel free to get in touch with our support team, create a new forum post, or leave a comment on this blog post if you have any concerns or problems updating.

We’d also like to extend our huge thanks to the crew on the WordPress Security Team who worked around the clock – and across timezones and several plugin teams – to coordinate today’s release.

Posted in Releases | Tagged , | 3 Comments
  • Recent Comments

    Jeremy on Jetpack 4.8.1: PHP Version Inc…
    Stalyn on Protect Your Website From This…
    sneezypb on Protect Your Website From This…
    Anthony Tornambe on Jetpack 4.8.1: PHP Version Inc…
    Pea on Jetpack 4.8.1: PHP Version Inc…
  • Archives

  • Enter your email address to follow this blog and receive notifications of new posts by email.

  • Relied on by millions of WordPress professionals worldwide.

    Install Free   See Pricing

    Created by Automattic: bringing the power of WordPress.com to every WordPress site.