It has recently become clear that a huge attack on WordPress websites is underway. The attack is spearheaded by unknown parties but what is known is that more than 90,000 IP addresses are being used to brute-force crack administrative credentials of vulnerable WordPress systems.
Why would anyone care to attack numerous WordPress websites across multiple hosting services? To put it in layman’s terms once they gain access to your WordPress admin interface they alter the code of your website to harness the awesome power of hosting servers – which are typically tens, hundreds, or even thousands of times faster than a locally infected machine in your home or small business.
If you’d like to have a bit more background information on the ongoing attack here’s a great post with lots of information: Huge attack on WordPress sites could spawn never-before-seen super botnet.
What can you do to protect your website
Now, since the original reports of this ongoing attack has sprung up an official statement has been released by Matt Mullenweg, creator of WordPress:
Almost 3 years ago we released a version of WordPress (3.0) that allowed you to pick a custom username on installation, which largely ended people using “admin” as their default username. Right now there’s a botnet going around all of the WordPresses it can find trying to login with the “admin” username and a bunch of common passwords, and it has turned into a news story (especially from companies that sell “solutions” to the problem).
Here’s what I would recommend: If you still use “admin” as a username on your blog, change it, use a strong password, if you’re on WP.com turn on two-factor authentication, and of course make sure you’re up-to-date on the latest version of WordPress. Do this and you’ll be ahead of 99% of sites out there and probably never have a problem. Most other advice isn’t great — supposedly this botnet has over 90,000 IP addresses, so an IP limiting or login throttling plugin isn’t going to be great (they could try from a different IP a second for 24 hours).
So, in essence, all you need to do is to make sure that if there is an “admin” username in use on your site that you change it to something else, something a bit less commonplace, and when creating your password make sure that the strength indicator tells you that your password is “strong”. Here are a few pointers on creating a strong password.
To my clients
As always, I’ve got you covered! Most of you have your own, personalized logins with strong passwords. I will also be going through and making sure to make necessary adjustments to all of your websites to safeguard them from being attacked. If you feel so inclined, you can change your current login passwords as an extra precaution. Just make sure that your new password is “strong” and that you write it down someplace for the next time you need to login.