We have been made aware of a global distributed attack on webservers around the world which host WordPress websites.
It’s not yet known who is behind the attack, which is currently using more than 90,000 IP addresses to attempt to brute force the default admin user credentials of WordPress powered websites around the world. The attack does seem to be coming from a cluster of “botnet” infected computers.
This attack is not limited to any single webhost (including ourselves), but rather a global event could affect any web host.
As a responsible host, we would like to make you aware of this global issue and how you can help protect your own WordPress website from becoming affected.
What you can do to mitigate the botnet attack
1) Avoid simple or obvious passwords
Choose a long password with a mix of numbers, letters (upper and lowercase) and special symbols (!£$%& etc)
An example of a poor password: mypass
An example of a good password: vg^jhgHG57
A strong password is important as a “brute force” attack attempts to log in using the Admin username and random dictionary “wordlists” (many thousands of words etc). By making the password completely random, it is less likely to be on one of these lists.
2) Change the “admin” username
All WordPress sites have the administrator username as “admin” by default. Knowing a correct username is half the puzzle solved for brute forcing. If you change the username to a different name, the botnet not only has to guess your password, but also the username.
3) Keep plugins up to date
When you log into your WordPress site, look out for any updates available – if they are, update them! Often, the updates will be to fix problems and security issues such as “backdoors”. Many hackers exploit holes that have ben identified in older versions of WordPress and it’s plugins.
4) Install the “Limit Login Attempts” plugin
This plugin (available from your WordPress control panel or here) limits the number of login attempts can be made. If the limit is breached, the IP address is automatically blocked for a few minutes. If the limit continues to be breached, the IP is permanently blocked. This is an extremely effective defence against brute force hacking.
5) ADVANCED: Block the admin login page to everyone but your own fixed IP
If you only access your WordPress admin login from a single network and have a static IP address on your connection, you can add this to the .htaccess file in your WordPress installation:
<FilesMatch "^wp-login.php$"> Order Allow,Deny Allow from xxx.xxx.xxx.xxx Deny from all </FilesMatch>