As most of you have heard already there is/was a widespread Brute Force Attack
(definition – http://en.wikipedia.org/wiki/Brute-force_attack)
that affected the file wp-login.php that allowed the hacker(s) to access your website by running an automated script that uses Rainbow Tables
(definition – http://en.wikipedia.org/wiki/Rainbow_tables) and or a list of common words found in the dictionary.
I run multiple WordPress sites and none of mine were affected as I have the plugin SI-Captcha on the wp-login.php or wp-admin.php page which you can download here:
However, having a secure password is always the best way to protect your site from being hacked. Using insecure passwords like “ilovecats” or “layla123″ your name or birth date for example are a very bad idea and easily guessed by a well executed Brute Force Attack.
A good password generator can be found here:
Treat your password like a PIN number to your bank account, enough said.
Also, if you have been affected and changed your password to something secure such as: s7udraNe if the hacker is still logged in they still HAVE full access and can deface your site, delete content, inject malicious code and viruses, etc.
You need to change your “Salt” and “Secret Keys” in the wp-config.php file:
You can obtain a new salt and key here: https://api.wordpress.org/secret-key/1.1/salt/
See example screenshot below:
Click to Enlarge Photo:
This can be done via ftp, Cpanel or another form of file editing software that you can access via your web host. After editing the file, SAVE the changes and then change the permissions (CHMOD) for wp-config.php to 440 or 400 so that is not “World Readable”, if you can pull up your wp-config.php from a browser you are begging to be hacked as it contains your database login information.
See example screenshot of wp-login.php with SI-Captcha below:
Click to Enlarge Photo:
These are valuable steps to protect your WordPress Sites.
You can scan your sites for malware by entering the domain name at the link below:
Your MySql Database is the HEART of your blog/wp site and should be backed up regularly in case of a catastrophic event such as a hack, do NOT rely on your host for backups, do your OWN.
A top rated webhosting company “Inmotion Hosting” has written a great article suggesting .htaccess modifications and a plugin that limits the amount of login attempts to help mitigate this type of attack.
The article can be found here: http://www.inmotionhosting.com/support/news/general/wp-login-brute-force-attack