Is Your WordPress Site Vulnerable to Attack?

published on April 19, 2013 | tagged in:

WordPress site owners Alert!

From Cloudflare.com (April 11, 2013)

There is currently a significant attack being launched at a large number of WordPress blogs across the Internet. The attacker is brute force attacking the WordPress administrative portals, using the username “admin” and trying thousands of passwords. It appears a botnet is being used to launch the attack and more than tens of thousands of unique IP addresses have been recorded attempting to hack WordPress installs.

One of the concerns of an attack like this is that the attacker is using a relatively weak botnet of home PCs in order to build a much larger botnet of beefy servers in preparation for a future attack. These larger machines can cause much more damage in DDoS attacks because the servers have large network connections and are capable of generating significant amounts of traffic. This is a similar tactic that was used to build the so-called itsoknoproblembro/Brobot botnet which, in the Fall of 2012, was behind the large attacks on US financial institutions.

Matt Mullenweg confirms this on his blog:

Right now there’s a botnet going around all of the WordPresses it can find trying to login with the “admin” username and a bunch of common passwords, and it has turned into a news story (especially from companies that sell “solutions” to the problem).

Preparation is the best thing to do even before disaster strikes. Below are some important reminders to keep your site secure. If you are doing these things religiously and regularly then you should be good. Otherwise, it’s time to beef things up.

  • Backup, backup, backup. Conduct regular backups of your site. It’s always a good thing.
  • Change your user name. Use a strong password. If you are still using “admin” as your login, you need to change it right away.
  • Install WordPress plugins that limit the number of login attempts from the same IP address or network
  • Subscribe to a Security Service like Sucuri (Read our post about Sucuri) or Cloudflare (free).
  • Update your WordPress version.

Note: Many of the articles on this site include affiliate links that may earn us a commission if you decide to buy the recommended product.