A relatively low-key, but intense attack on WordPress (WP) based sites is under way. Hackers are trying to access WP based servers that are using common usernames and passwords such as “Admin, adm, test, password, password1” etc. The attack seems to originate from a botnet comprising of close to, or just over, 90,000 PCs and seems to be an attempt to gain access to a pool of servers that can be used to launch attacks in the future.
WordPress is a very popular CMS (Content-Management System) that forms the backend for almost 17% of all websites on the internet. This includes sites like eBay and any number of blogs from the blogosphere. The attack itself is a very basic brute-force attacks that takes advantage of our laziness by trying to guess a server’s password from a pool of commonly used passwords. The attack is currently using comparatively underpowered home-PCs with limited bandwidth, but as it gains access to more and more servers, the attack can grow in magnitude.
To protect yourself is very simple. Change your username and password to a stronger one; some useful guidelines can be found here.
Matt Wullenberg of WordPress had this to say about the attack:
“Almost 3 years ago we released a version of WordPress (3.0) that allowed you to pick a custom username on installation, which largely ended people using “admin” as their default username. Right now there’s a botnet going around all of the WordPresses it can find trying to login with the “admin” username and a bunch of common passwords, and it has turned into a news story (especially from companies that sell “solutions” to the problem).
Here’s what I would recommend: If you still use “admin” as a username on your blog, change it, use a strong password, if you’re on WP.com turn on two-factor authentication, and of course make sure you’re up-to-date on the latest version of WordPress. Do this and you’ll be ahead of 99% of sites out there and probably never have a problem. Most other advice isn’t great — supposedly this botnet has over 90,000 IP addresses, so an IP limiting or login throttling plugin isn’t going to be great (they could try from a different IP a second for 24 hours).”
You can read the entire WordPress blogpost here.
CloudFare, a sort of online firewall and security services provider is also offering free protection for users that use their service to protect their sites.