Right now there is a worldwide brute force attack targeted at WordPress sites. This attack is extremely large scale and many of the large hosting companies are reporting impact. The biggest impact to most WordPress based sites is a slowdown in performance due to the significant volume of traffic this particular attack is driving at hosting company servers.
The WordPress attack is a WordPress brute force attack on the default admin account. The attack tries to brute force compromise the admin portal using the “admin” account and more than 1,000 common passwords. From what I have read, the attack is having reasonable success due to bloggers not having their WordPress based blogs properly security. An additional side effect of the attack is denial of service due to the sheer volume of brute force requests being made.
Could you site be impacted? Absolutely. Here’s what you can do to keep your site safe.
Remove the admin account
All WordPress installations since the 3.0 release allow you rename the admin account to whatever the installer would like. Most people did not do this, but instead used the default “admin” account. If you currently have a WordPress install with the admin account, you should:
- Login to your WordPress site, navigate to the users section and create a new ID with a name other than admin and give that ID administration privileges.
- Logout, and login under that new ID.
- Delete the admin ID. If you have posts published under admin, WordPress will allow you to specify the user you would like them moved under before it deletes the admin account.
If you are installing a new WordPress installation – do not use the default admin account. Choose a different name for your admin accounts going forward.
Use a secure password
Far too many people use common and easy to guess passwords, don’t make this mistake. Your WordPress password should be a minimum of 8-digits, and preferably random. Random Password Generator is a great place to get a random and highly secure password.
While highly secure, random passwords are difficult to remember. This has the unfortunate consequence of people saving the password somewhere potentially unsafe. I ran across a better alternative that uses 4 common words. While not as secure as random characters, it’s easy to remember and still highly secure. Here’s a cartoon that shows why. I’ve been using this mechanism for sometime now.
If you don’t have a highly secure password, go change your WordPress passwords right now and make them secure.
Limit login attempts
The brute force WordPress attack continuously tries to login to your admin account over and over using different passwords. A plugin called Simple Login Lockdown limits the number of consecutive login attempts within a certain time period, effectively disabling the brute force method.
I would recommend you install this plugin, and use the default settings.
Perform a security audit
While the current version of the WordPress attack uses a brute force method to attempt to compromise your WordPress install, future versions could become more sophisticated. Now is the time to go ahead and “shore up” your WordPress security and make sure everything is locked down.
A good plugin that analyses your WordPress security and tells you any changes that need to be made is called: Better WP Security. This plugin when activated will analyze your WordPress site and allow you to resolve any issues in one click. The plugin also contains more advanced options as well. I use this plugin for my sites, as a secondary review just to make sure I haven’t missed anything. Highly recommended. I would recommend deactivating it once you are done. The plugin doesn’t need to run all the time.
Wordfence is another security plugin that I’ve been looking at and seems to go a little further than Better WP Security, as it contains a firewall and will actively block malicious bots and hack attempts. I’m still reviewing this one though, and not at a point where I can “officially recommend it”, but seems impressive thus far.
Keep your WordPress and themes files updated
This is another common WordPress mistake. Failing to keep your WordPress installation and theme files updated can result in your site being compromised Many WordPress and theme patches are intended to address known security issues. Hackers know that people don’t commonly keep their sites updated, and will actively scan for sites not running the latest versions and use those known exploits to compromise your site.
When you receive a new update notice from WordPress, especially on a “dot release” (3.1, 3.12, 3.5.1, etc) go ahead and upgrade your site. I realize that sometimes WordPress updates don’t go real smoothly, but dealing with the upgrade problems is far easier than dealing with a hacked site.
Just make sure you backup your WordPress site before you do the upgrade so you can easily restore if you have issues.
Have you been impacted by the WordPress Attack? I personally haven’t – not even a slow down, but I do know a few friends and clients that have been. They weren’t hacked, but their sites are running very slow due to the attack.
Photo by: Orin Zebest