As you’re reading this, there’s almost a hundred thousand computers across the globe in an automated “botnet” attack against any WordPress installations they come across, trying to repeatedly guess the password of “admin” usernames, and a few variations of admin usernames, over and over hundreds of times per minute, until they gain access. Once they gain access, the code infects the installation with back door access and that site joins in the attack. It’s this behavior that causes me to label this attack the WordPress virus.
It’s affecting all web hosts, big and small, and some hosts have gone to extremes, locking out their own customers from their WordPress dashboards. Ouch! I wanted to raise awareness of the issue, communicate how Web Wizards is addressing the issue, and make some recommendations for site owners that want to secure their sites further. I want to clarify that this type of attack doesn’t mean WordPress is any less secure than any other platform, it’s simply more popular, and so it’s more targeted. Any platform can be attacked in a similar brute-force attack, and this WordPress botnet attack is similar to a botnet attack that happened in late 2012 against US financial institutions.
To manage this WordPress attack on our servers, our mighty system administrators have implemented specific firewall restrictions at the network level, so our servers are not affected by the load these repeated login attempts can cause. We’ve also implemented login limitations, so that any username attempt fails more than 3 times in 30 seconds gets blocked at the IP address level for one hour. We can adjust those timings as needed to what best protects the servers and your web sites. We’re doing everything we can to eliminate the threat before it reaches our servers, contain it if it does, and protect our servers and your sites from any performance issues arising from this attack.
To help further secure your site, the first and foremost thing you can do immediately is log in to your WordPress site and change the password on all Administrator role accounts to something very strong, using numbers, upper and lower case letters, and special symbols such as # $ % ! @ ^ & etc. For more details, see Selecting A Strong Password. (Do this with your email and FTP passwords, too, since those are always targets of automated scripts and spammers. Always use a strong password, and never on multiple sites.)
There are other things you could do to help eliminate your web site from being subject to these types of attacks, such as making sure your WordPress installation does not use the username “admin”. You can’t change it within the WordPress dashboard, but it’s easy by editing the WordPress database itself using a tool like phpMyAdmin, details here.
You can also install any number of WordPress security plugins, such as Better WordPress Security. Using a plugin to ban IP addresses after failed logins is probably ineffective for this attack simply because the IP addresses are so numerous and change so frequently, it would cause more server load to process and block all those… and we’re doing more at the firewall and router level that these IPs should be blocked already.
Please leave a comment with your thoughts, and reach out if we can help you secure your WordPress site better. We offer WordPress consulting beyond our normal hosting support… we can migrate your web site to our servers if you’re not hosting with us, set up local caching plugins such as WP Super Cache, harden your WordPress site (see this codex.wordpress.org article), and we can help you set your site up on Cloudflare or Incapsula, too.
For more information on this attack, here are some other good posts: Krebs On Security, Sucuri Security,