WordPress sites across the Internet are currently under attack from a botnet that is carrying out a brute force dictionary attack against the WordPress login page in the hope of finding correct username/password combinations.
This attack is unusually large, with over 80,000 bot clients participating. Although the attack is large, it isn’t particularly sophisticated. The attackers aren’t exploiting a known weakness in WordPress or the software stack it runs on, but are attempting to find WordPress installations with weak authentication configurations. Dictionary attacks essentially throw a lot of guesses at the the WordPress login page until they find the right combination.
WordPress installations with sufficiently complex usernames and passwords are probably not at risk. Even with 80,000 bots, the number of possible password combinations that can be attempted is significantly smaller than the number of possible passwords. It’s more than likely that only installations using the default administrator username “admin” coupled with a weak password are at risk.
Keeping Your Site Secure
If you are worried about your WordPress site being insecure, there are a number of things you can do.
Use A Secure Password
Good password protocols are an important part of keeping a site safe. In recent years, a large number of stolen password databases have become available to hackers. That means that almost every possible combination you can think of is in the wordlist that is being used for the current dictionary attacks. Safe passwords are those that are sufficiently long and random that it is very unlikely for a bot to try it in a reasonable amount of time.
We suggest that you use a random password generator like the one included in LastPass to create secure passwords of longer than 20 characters that include numbers, capital letters, and symbols –– humans are very bad at choosing secure passwords for themselves, even when they think they know what they are doing. LastPass will also help you store those numbers.
Don’t forget to ensure that the passwords of all users with administrator permissions for your site are secure.
Remove The Default Admin Account
All new installations of WordPress have a default user with the username “admin” that has full administrative permissions. It’s probable that the botnet is focusing on finding passwords for sites that have that username active. It makes it a lot easier for them if they only have to guess passwords and not usernames too.
You can’t change the username, so you will instead have to create a different user with admin permissions, and then use that account to delete the default “admin” account.
If you’d rather not delete the admin user, then at least make sure that the account has a very strong password.
Install Apocalypse Meow
Apocalypse Meow is a WordPress extension that offers a number of features of to make a WordPress site more secure. Most importantly, it guards against brute-force login attacks by disabling the log-in form after repeated failures. It will also rename the default “admin” account, remove the ability for hackers to easily see which version of WordPress a site is currently using, and store a complete history of log-in attempts.
There is a popular alternative plugin for restricting the number of login attempts, but it’s only guaranteed compatible with versions older than 3.3.2. Up-to-date sites should not use it.
The main reason that hackers want to gain control of WordPress sites is to install malware, which will then infect a site’s visitors or redirect them to other sites. Both Sucuri and WordFence offer malware scanning for WordPress, so should your site be hacked and infected, you’ll be able to tell and prevent the infection of your visitors.
WordFence also includes many of the brute-force prevention features that Apocalypse Meow does.
Keep Your Site Up-To-Date
Although this botnet isn’t trying to use zero-day exploits to hack WordPress sites, that does happen frequently, and keeping your site updated to the most recent version is important to prevent security breaches.
If you follow these simple steps, then your WordPress installation should remain unaffected by the current attacks, but if you use our WordPress hosting and suspect that your site has been accessed without authorization, or discover that it is behaving strangely, don’t hesitate to contact Nexcess support.