The open-source WordPress blogging and content management system software is widely deployed and is also often attacked. In a bid to improve security, Automattic, the lead commercial sponsor behind WordPress, announced on Aug. 26 that it has acquired security vendor BruteProtect. Financial terms of the deal have not been publicly disclosed.
BruteProtect provides multiple security capabilities for WordPress sites. Prior to being acquired by Automattic, BruteProtect offered a free and a paid Pro version of its service. The free version provides WordPress sites with protection against brute force attacks. Brute force attacks can take many forms but typically involve an attacker automatically trying out multiple username/password combinations in order to gain access to a site.
Brute force attacks against WordPress sites are not theoretical; they are in fact a danger that impacts sites on a regular basis. In July, eWEEK reported on one such large-scale brute force attack against WordPress attempting to gain access via the wp.getUsersBlogs function, which is intended to provide an administrator with a list of blogs. According to BruteProtect, the free version of its software has protected users from 141 million attacks since April 2013.
In addition to the free version, BruteProtect has a Pro version, which was offered at a subscription rate of $5 a month. The paid service is now being offered for free by Automattic to all WordPress users via its Jetpack plug-in. Jetpack is an optional plug-in for WordPress sites that provides services from Automattic. The BruteProtect Pro capabilities include uptime monitoring of WordPress sites as well as update alerts for WordPress plug-ins and themes.
“The BruteProtect team is based in Portland, Maine, and they’re long-time contributors to the WordPress community,” WordPress founder Matt Mullenweg wrote. “We’re excited to see them join forces with the Jetpack team and up the level of security, protection, and peace of mind we’ll be able to bring to the millions of sites already using Jetpack.”
WordPress plug-ins have been an area of focus for attacks in 2014. In June, an exploit in the Timthumb image manipulation library left unpatched sites at risk. In July, an attack against outdated MailPoet WordPress plug-in users was reported leaving sites at risk.
WordPress has taken a number of steps to improve site security over the last year. With the WordPress 3.7 release in October 2013, a new core feature that enables automatic updates for security fixes was included. That automatic update feature enabled WordPress to roll out its recent 3.9.2 release rapidly to fix a critical denial-of-service (DoS) vulnerability.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.