Several people have asked us about the recent WordPress WP Super Cache and W3 Total Cache plugin security vulnerability.
For the most part, sites hosted on our servers aren’t vulnerable to this because we block comments that contain the malicious code.
We’ve talked before about WordPress login rate limiting. Attempts to guess WordPress administrator passwords are an ongoing problem, getting worse all the time.
The average WordPress site we host has received tens of thousands of malicious login attempts this month, with hundreds of thousands of different IP addresses being used in the attacks. We try to block the IP addresses that are responsible, but the ever increasing number of addresses means we can’t block all of them — an individual address often attempts a login only once a day for a given site. We need to adopt other tactics.
WordPress 3.5.1 was recently released, and as always, we’ve updated our WordPress one-click installer to automatically install the latest version for new WordPress sites.
If you’ve previously installed WordPress, you can upgrade it from within your WordPress Dashboard.
As a reminder, you should always update immediately when WordPress tells you there’s a new version available in the Dashboard. Don’t let yourself get behind, because it gets more difficult to update smoothly if you’re several versions out-of-date.
In addition, don’t avoid upgrading just because the upgrade screen says you should make a backup of your WordPress files and database first: we already make backups for you, automatically, every day.
WordPress 3.5 was recently released, and as always, we’ve updated our WordPress one-click installer to automatically install the latest version for new WordPress sites.
If you’ve previously installed WordPress, you can upgrade it from within your WordPress Dashboard.
As a reminder, you should always update immediately when WordPress tells you there’s a new version available in the Dashboard. Don’t let yourself get behind, because it gets more difficult to update smoothly if you’re several versions out-of-date.
WordPress 3.4.2 was released yesterday, and it contains important security updates to keep your site safe.
Our WordPress one-click installer automatically installs the latest version for new sites. If you’ve previously installed WordPress, you should upgrade it right away from within your WordPress Dashboard.
In fact, you should always update immediately when WordPress tells you there’s a new version available. Don’t let yourself get behind, because it gets more difficult to update smoothly if you’re several versions out-of-date.
WordPress 3.4 was released yesterday, with some nice new features. Our WordPress one-click installer automatically installs the latest version for new sites. If you’ve previously installed WordPress, you should upgrade it from within your WordPress Dashboard.
WordPress 3.3.2 was released today, and it contains an important security update to keep your site safe.
Our WordPress one-click installer automatically installs the latest version for new sites. If you’ve previously installed WordPress, you should upgrade it right away from within your WordPress Dashboard. (You should always do that when WordPress tells you there’s a new version available.)
Lots of people (and lots of our customers) use WordPress to run their Web sites. This unfortunately means that lots of “hackers” also try to guess the passwords of those sites.
That’s a problem, so we’ve had WordPress login “rate limiting” in place for a long time. When a single IP address tries loading the WordPress “wp-login.php” script many more times than a human would, we temporarily block that IP address from accessing the “wp-login.php” page until the requests stop for a while.
This works pretty well: we’ve blocked literally millions of password attempts this way. However, last week one of our customers had his site hijacked by someone who did indeed simply guess his WordPress password.
WordPress 3.2 was released a couple of days ago, and it looks like a great update. (We even contributed a little bit of performance-improving code to it ourselves.)
Our WordPress one-click installer automatically installs the latest version for new installs.
If you’ve previously installed WordPress, you can upgrade it from within your WordPress Dashboard. You should always do that when WordPress tells you there’s a new version available.
Today we detected that one of our customers had installed a WordPress plugin on his blog that did something malicious: when the plugin was activated, it sent a stranger an e-mail message allowing full administrator access to the blog.
How did this happen? Well, our customer simply searched the WordPress plugin directory for “Contact Form”, saw the popular “Contact Form 7” plugin listed, then clicked “Install Now”. That all sounds reasonable.
