Student Organizations + Website Security

As student organization leaders, we wanted to share the message below  to advise you of recommendations and updates from Information Technology Services in response to the recent website attacks which became apparent on Monday, April 15th. Please review the notes bellows and share with your technology officer and/or webmaster:

If you are using WordPress, phpMyAdmin, or similar service, you are highly recommended to do the following:

–          ensure that the latest version of WordPress, or similar platform service, & related security patches are installed.  This does not apply to sites on or *

–          remove unknown or inactive admins.  This applies to ALL websites regardless of hosting service or platform.

–          change passwords for all admin accounts.  The following are UVa’s recommendations for passwords –

Resetting Passwords:

If for some reason you are using the same password for your website as you do for Netbadge, which is not recommended, you can change it by going to After changing your permanent password, please allow at least 15 minutes for the change to take effect.  Too many failed login attempts may temporarily suspend your account.  Don’t forget that if you have a mobile device set up to access UVa accounts/services, you may need to change the password there after it has been reset.

Site Maintenance Restricted To On-Grounds

Additionally, for sites hosted on systems, such as SCS or, ITS has restricted admin login access to on-grounds only.  If you need to perform site maintenance on your website which is hosted on a system, and you are off-grounds, you will first need to connect to the UVa Anywhere VPN.  Please note that the UVa Anywhere VPN can only be installed while you are off-grounds.  For more information regarding the UVa Anywhere VPN, please visit

Requesting Assistance

With the exception of access to the Student Council Server, questions or support inquiries should be made to the UVa Helpdesk –

Council members that require access assistance, particularly confirming the limited computing IDs that should have access to admin a site, should be sent to