Over the past couple of days it has been widely reported that WordPress based sites are being targeted by a massive brute force attack, one that is supposedly backed by a botnet with over 90,000 IP addresses. The nature of this attack has been described as being much larger than usual, with CloudFlar alone blocking over 60 million requests in under one hour. The attack is believed to be on a global scale, affecting almost every web host out there. So naturally WordPress users have been looking for a fix, which is surprisingly easy, this coming from the man himself who made WordPress.
What has puzzled site owners and hosts alike, is that there seems to be no clear reason for this global attack. The attacks seem to be sourced from PCs, which are capable of installing a backdoor that would allow hackers to control the site from anywhere in the world. Matt Mullenweg, the creator of WordPress, released a statement and detailed a very easy fix, one that would keep sites almost 99% ahead of those who are not on the same track.
Almost 3 years ago we released a version of WordPress (3.0) that allowed you to pick a custom username on installation, which largely ended people using “admin” as their default username. Right now there’s a botnet going around all of the WordPresses it can find trying to login with the “admin” username and a bunch of common passwords, and it has turned into a news story (especially from companies that sell “solutions” to the problem).
Here’s what I would recommend: If you still use “admin” as a username on your blog, change it, use a strong password, if you’re on WP.com turn on two-factor authentication, and of course make sure you’re up-to-date on the latest version of WordPress. Do this and you’ll be ahead of 99% of sites out there and probably never have a problem. Most other advice isn’t great — supposedly this botnet has over 90,000 IP addresses, so an IP limiting or login throttling plugin isn’t going to be great (they could try from a different IP a second for 24 hours).
You heard the man! Implementing this easy fix would ensure a relatively high level of safety for a WordPress based site. Hopefully security researchers will be able to dig deeper and find out what really is the reason behind this global WordPress brute force attack.