If you have a WordPress blog or website, it’s important that you improve your security, as soon as possible. This post explains why and offers some tips to make your WordPress site safer and gives you links to 2 free security tools you can use.
WordPress botnet attack
Hosting companies worldwide are reporting a surge in attacks on WordPress sites right now. It was reported yesterday that a botnet, with an estimated 90,000 servers (and growing), is trying to log into WordPress sites by cycling different usernames and passwords.
Ars Technica reported today, that this ‘huge attack’ could create a botnet like we have never seen before. My security provider, Sucuri, (affiliate link) says the number of attacks has increased by almost 300% in just a few weeks.
(UPDATE) This free online tool from Sucuri, will check if your blog has been attacked. It also shows you if you’re using the latest version of WordPress and if your site has been blacklisted. You will see your results in seconds. Simply enter the address of your blog.
WordPress botnet: What to do
As this attack seems to use brute force to cycle through usernames and passwords, I suggest you beef up your log in security, by adding a WordPress plugin. This will block anyone from accessing your site if they attempt more than a certain number of failed log ins. The plugin I use is called Limit Login Attempts and is available for free, from The WordPress Repository.
By default, WordPress allows people unlimited log in attempts. This means botnets can target your website / blog with hundreds or thousands of different user name and password combinations. By limiting log in attempts to just a handful, you make it significantly harder for this type of attack to happen. (Update) Whilst this may help and is a good idea against general attacks, WordPress founder Matt Mullenweg has suggested that ‘log in throttling’ plugins may not be of much help with this specific attack.
Change your WordPress username from admin
I also suggest you change your WordPress user name from ‘admin’. Admin is the default WordPress user name and sites using it are massively easier to break into, because only the password needs to be hacked.
If you’re not sure how to change your WordPress username, there is a step by step guide here. You can also go to YouTube and search for: ‘Change WordPress username’. There are lots of videos showing exactly what you need to do. It’s very simple, takes just a little time and improves your security significantly.
Update your WordPress software and plugins
It’s important to make sure you’re running the most recent version of WordPress. New versions of WordPress often contain security updates, which will protect you from attacks that target older versions of the software. Before you update WordPress, it’s a good idea to back up your data first.
Make sure your plugins are up to date too. Out of date software is easier to hack and newer versions often provide additional security, which patches holes found in older versions.
Update your WordPress blog themes
If you use a blog theme, make sure that it’s up to date. It’s also important to either update or delete OLD blog themes, as these inactive themes can still be used to get into a site. Before updating your blog theme, remember to back up your data first.
These are just some of the things you can do, for free, which will make your site safer. With such an increase in WordPress botnet attacks right now, it makes sense to take some time as soon as you can, to improve your security.
News regarding this attack
VentureBeat: WordPress admin accounts target of botnet attacks.
TechCrunch: Hackers Point Large Botnet At WordPress Sites.
UPDATE: WordPress founder Matt Mullenweg released some advice from his blog:
Here’s what I would recommend: If you still use “admin” as a username on your blog, change it, use a strong password, if you’re on WP.com turn on two-factor authentication, and of course make sure you’re up-to-date on the latest version of WordPress. Do this and you’ll be ahead of 99% of sites out there and probably never have a problem. Most other advice isn’t great — supposedly this botnet has over 90,000 IP addresses, so an IP limiting or login throttling plugin isn’t going to be great (they could try from a different IP a second for 24 hours).
If you have any positive suggestions regarding how to deal with this threat, please share them with a comment.