Wordpress sites around the globe have come under attack from hackers on several occasions (see the BBC News Article
for an example from May 2013
The attacks are most commonly 'Brute Force' attacks (where hackers send thousands of requests of to log into the Wordpress admin page). By deafult, Wordpress always has a user of "admin" so hackers know to use this already and so just need to exploit people who have used weak passwords).
As well as the risk of unauthorised access to a Wordpress site, having tens of thousands of login requests (even when they fail) will also cause load/performance issues of our hosting platforms.
Wordpress have brought in additional security measures that users can add to their Wordpress sites, however as these are optional add-ons, many users do not take advanatge of these. We also see cases where users do not upgrade to the latest releases of Wordpress when a new version comes out and keep running older, insecure versions.
As such, we have implemented an additional layer of security to all Wordpress sites:
Q. What is this extra layer of security Daily has implemented?
In short, every computer or device that connects to the Internet has a unique identifier known as an IP Address
. We have put in a measure where a customer has to specify their IP address before they can connect to the Wordpress Admin Page
Q. Where do I specify my IP address?
There is a small file in your webspace called .htaccess
. Just connect to your website via FTP and open this file. Inside you will see a section of text where you can specify your IP address, as shown below with our IP address of 22.214.171.124
Q. How do I find out my IP address?
Just go to a site like http://www.whatismyip.com/
on the computer or device you want to find out the IP for
Q. I don't want to use this security feature. How do I turn it off?
You can edit your .htaccess file and add a #
symbol at the start of each line, or you can raise a support ticket from your MyDaily Control Panel and request we remove the security for you.
Please note, we do mean an actual support ticket logged from your Control Panel if we are potentially exposing your site to be exploited. We would not carry out this request from a contact form off our website, livechat, telephone call or general email
If you are having our security option removed, please ensure you have implemented your own security measures instead
1) Don't use an 'Admin' user
This is what hack scripts use when trying to access sites. Create a new user with a different name and grant them admin privs
2) Use Wordpress' Two Step Authentication facility
Details of this are on Wordpress' own site: Greater Security with Two Step Authentication
3) Be on the latest versions
Make sure you are not running an old version of Wordpress. If so, you may have security vulnerabilities. You can upgrade from within Wordpress itself. The same goes for any plugins or add-ons you have (including themes) as well as the main Wordpress program
4) Set strong passwords for your FTP and Wordpress Login
By strong we mean creating random passwords with a combination of lower and upper case letters, numbers and punctuation symbols rather than dictionary words. A good password generator tool is available here: Secure Password Generator
Frequently Asked Questions or Issues
Q. I have logged in via FTP but can't see my .htaccess file?
You probably don't have the setting to show hidden files. It depends on your FTP client, but in Filezilla it is here:
Q. My IP address keeps changing! Do I have to add it every time?
Yes, if you were using our security measures. However, if this is the case then you may want to disable our measures and use alternate security, as mentioned above.
Q. So, if Wordpress sites are getting 'hacked', are your systems insecure?
No, not at all. The exploits are taking advantage of user's individual Wordpress sites only when that user has been lax on security. If a customer's site was compromised, the hacker would only have access to that customer's site (i.e. they could not use this as an entry point to access other customers on the server). These exploits are not
at a sever level where a hacker gained access to the root of our hosting platforms. Our platforms themselves are fully secure.
Last Updated: 12/04/2013
Article ID: 1009