In recent days, a large botnet (a network of hijacked computers) has been attacking thousands of WordPress sites globally.
It is estimated that a large network of PC’s, unknown to their owners, has been targeting WordPress blogs with a crude, but effective “brute force” password attack.
Supported with a list of 90,000 IP addresses and a huge list of possible passwords to test, the botnet is able to penetrate WordPress sites and blogs which still have the default “admin” user in place and which do not have a complex password or the new 2-stage authentication option, just introduced by WordPress.com, activated.
The motive is currently unclear, but it could be that whoever is controlling the botnet (made up mostly of virus infected home PCs) is looking to build an even bigger network, this time made up of more powerful hijacked servers, for a future larger-scale attack of some kind – most likely a DDOS style attack which can take prominent web sites and services offline for extended periods of time.
Quickly secure your WordPress site:
1. Update to the latest version of WordPress
Login to your admin dashboard and click “update” at the top of the page. For most sites this will be a quick, easy and painless process. If your site has a complex theme or has been heavily customised, you may prefer to leave this to a web development agency which specialises in WordPress.
2. Remove the default “admin” user
Create a new user with “administrator” privilages. Then delete the default “admin” user account. If you have users called “test” or “root” these should also be deleted as they are known to be on the target list.
3. Add a CAPTCHA to the login page.
A CAPTCHA can help eliminate or greatly reduce automated scripts from attempting to login to your site. There are several free options, which you can access from inside your WordPress dashboard in the plugins area. One popular free plugin is called “SI CAPTCHA Anti-Spam” and seems to work well at preventing automated login attempts.
There are a number of commercial offerings out there too which offer security scans and enhanced lock down options. However, one of the main flaws with these services is that they are often focussed on blocking login attempts or multiple incorrect password entries (often a sign of a brute force attack) based on the IP address of the user. However, the current attacks have originated from a network of over 90,000 unique IP numbers, so blocking login attempts based on IP and time frequency (or both) will be ineffective.
If your site is compromised, the result is that a small script is hidden on your web server which will allow the attackers unhindered access to your WordPress site in the future, even after you change the password or remove the admin account. Therefore, it is important that WordPress site owners act quickly to remove easy to guess admin accounts and use strong passwords. You may also want to review what user accounts have “administrator” privileges – perhaps not all users need full access? By reducing the number of live administrator accounts setup, you are reducing the risk of one of those accounts becoming a way in for an unauthorised user or automated script.
About the author: Mark McDonald is a technical consultant and WordPress fan at Abstract Indigo, a web development agency in London.
- Edit Images in WordPress: No External Editor - 11 February, 2015
- How To Optimize Your WordPress Website for Search Engines and Overall Usability - 6 February, 2014
- Steps to use Ultra Readable Typography WordPress Themes - 30 July, 2013