Last week a sophisticated botnet that targets and launches brute force attacks against WordPress blogs and websites has been detected. Some WordPress hosting providers suffered downtime, security experts are exploiting this opportunity to sell their WordPress security services and thousands of WordPress sites have been hacked.
The botnet is launching a mass brute force attack against WordPress installations by trying to guess the administrator credentials. The attack is being launched from over 90,000 IP addresses. Your WordPress won’t be safe if you try to block the botnet requests or throttle WordPress logins since the botnet has enough IP addresses to send requests from different IP addresses every second for over 24 hours.
From the attack logs we’ve seen, the botnet is trying to use generic usernames in the attacks, such as the default WordPress installation account admin. Other usernames used by the botnet are administrator, test and root. As for passwords, it is also using the most commonly used passwords, such as admin, qwerty, password and 123456.
Since last week I’ve seen many WordPress security companies trying to sell their service or WordPress security software to desperate WordPress site owners. The reality is that you do not need to spend a penny to protect your WordPress form such mass brute force attacks; the solutions are available for free. If you are subscribed to WebsiteDefender and apply the suggested security changes, your WordPress is safe from this mass brute force attack.
If you have a strong username and password, your WordPress site won’t be a victim of this botnet. You can also add an additional layer of security by adding HTTP authentication to access the WordPress administration screens.
If you are still using the default WordPress admin account, change the username as soon as possible. Acunetix published an easy to follow tutorial to show you how to rename the default WordPress admin account.