ALERT: major brute-force password-guessing attack on WordPress sites underway

By | April 14, 2013

There’s a significant attack by a botnet on WordPress sites, where the bots are trying to guess the passwords of common admin logins.  More info:  http://arstechnica.com/security/2013/04/huge-attack-on-wordpress-sites-could-spawn-never-before-seen-super-botnet/

If you are using WordPress and are using a common username or a common password, change it immediately to something less obvious. Update your WordPress admin password when in doubt. Operators of WordPress sites can take other measures too, including installing security plugins such as this one: http://wordpress.org/extend/plugins/better-wp-security/ and this one: https://wordpress.org/extend/plugins/limit-login-attempts/, which close some of the holes most frequently exploited in these types of attacks.

WordPress creator Matt Mullenweg has released a statement regarding the issue:

Almost 3 years ago we released a version of WordPress (3.0) that allowed you to
pick a custom username on installation, which largely ended people using “admin”
as their default username. Right now there’s a botnet going around all of the
WordPresses it can find trying to login with the “admin” username and a bunch of
common passwords, and it has turned into a news story (especially from companies
that sell “solutions” to the problem).

Here’s what I would recommend: If you still use “admin” as a username on your
blog, change it, use a strong password … and of course make sure you’re up-to-
date on the latest version of WordPress. Do this and you’ll be ahead of 99% of
sites out there and probably never have a problem. Most other advice isn’t great
— supposedly this botnet has over 90,000 IP addresses, so an IP limiting or
login throttling plugin isn’t going to be great (they could try from a different
IP a second for 24 hours).

HIS advice:  remember that usernames are also passwords, so choosing a username like  ‘admin1492’ rather than ‘admin’  will help make your WordPress site much more secure.  Also, never use a password for your WordPress site or email that you’ve used somewhere else.  Yes, it’s a bother, but you should never use a password on more than one site.  Passwords should be 8 characters or longer and should contain at least one punctuation symbol, a mix of upper and lower case, and a number.

Leave a Reply