Is Your WordPress Site Vulnerable to Attack?
WordPress site owners Alert!
From Cloudflare.com (April 11, 2013)
There is currently a significant attack being launched at a large number of WordPress blogs across the Internet. The attacker is brute force attacking the WordPress administrative portals, using the username “admin” and trying thousands of passwords. It appears a botnet is being used to launch the attack and more than tens of thousands of unique IP addresses have been recorded attempting to hack WordPress installs.
One of the concerns of an attack like this is that the attacker is using a relatively weak botnet of home PCs in order to build a much larger botnet of beefy servers in preparation for a future attack. These larger machines can cause much more damage in DDoS attacks because the servers have large network connections and are capable of generating significant amounts of traffic. This is a similar tactic that was used to build the so-called itsoknoproblembro/Brobot botnet which, in the Fall of 2012, was behind the large attacks on US financial institutions.
Matt Mullenweg confirms this on his blog:
Right now there’s a botnet going around all of the WordPresses it can find trying to login with the “admin” username and a bunch of common passwords, and it has turned into a news story (especially from companies that sell “solutions” to the problem).
Preparation is the best thing to do even before disaster strikes. Below are some important reminders to keep your site secure. If you are doing these things religiously and regularly then you should be good. Otherwise, it’s time to beef things up.
- Backup, backup, backup. Conduct regular backups of your site. It’s always a good thing.
- Change your user name. Use a strong password. If you are still using “admin” as your login, you need to change it right away.
- Install WordPress plugins that limit the number of login attempts from the same IP address or network
- Subscribe to a Security Service like Sucuri (Read our post about Sucuri) or Cloudflare (free).
- Update your WordPress version.
Note: Many of the articles on this site include affiliate links that may earn us a commission if you decide to buy the recommended product.
It’s more significant than in the past to safeguard WordPress websites, otherwise there’s the risk that they could possibly be turned out to be used for criminal activities. I already had safety measures in place to avoid brute force penetration but after seeing well over 10.000 attempts to logon into my blog in recent days I decided that regardless of whether they failed it wouldn’t cause pain having even more stringent security.
As WordPress founder Matt states, choosing a strong password and making certain that you have most up-to-date version of WordPress is an sufficient protection. The botnet is literally guessing passwords, so if you have something which is not guessable you’ll be safe.