As I write this, hosting companies all over the World are fighting off a huge attack on WordPress websites that has been going on for at least 24 hours.
Our sites were hit for about 20 minutes yesterday afternoon, but thankfully our hosting company has a solution so all our customer websites have been safe today.
How are the attacks happening?
Basically, the attacks are being conducted by an army of computers infected by a virus, known as a botnet.
They are simultaneously hitting thousands of WordPress login pages and trying to guess the password to get into the sites.
It also is cycling through various obvious usernames but most of all trying the default ‘admin’ username.
This is called a brute force login attack, and an estimated 90,000 IP addresses are involved.
What they will do if and when they actually get in to websites is not known, but we’d expect the usual nasty surprises you get with a hacked WordPress site.
But a by product is this attack is slowing down websites all over the world, whether or not they use WordPress, as most websites are on shared hosting, and as the most popular content management system in the world, most websites are bound to be sharing a server with WordPress sites.
The repeated attacks basically cause everything to slow down.
If you are one of our customers and you want to get into the back end of your site you may see a password prompt screen you have not seen before.
This is an extra layer of security placed by our hosting company.
The box says: “A username and password are being requested by http://www.your-site.co.uk. The site says: “Automatic Protection” It now gives the username and password you need.
For current status visit our system status page. Once you have entered these details you can log in as you normally would.
If you have access to the admin area of your site make sure you have a secure password.
Minimum password recommendations:
- At least 8 characters total
- Mixture of upper and lower-case letters
- Numbers and special characters, such as punctuation or other non-alphanumeric characters
Example weak password:
Improved strong password:
In the meantime we are watching the situation closely and will implement any suggested security improvements across our customer websites as part of our normal service.
Is WordPress not secure?
WordPress is fine but this attack tries to exploit the weakest link in any security system: The human factor.
If your site has secure username and password then it will not fall victim to this attack. We never use the default ‘admin’ account in WordPress, and delete it where we come across it in WordPress installs done by anyone else.
The rest is down to our hosting company who have added the extra layer of security to prevent unauthorised access to the login pages in the first place and making sure all our sites stay live.
WordPress is popular, and therefore it is a target for attacks like this. That’s why it is vitally important that you keep your WordPress version and any plugins up to date.
The problem is not confined to WordPress as there are literally millions of Joomla websites on out of date versions that are just waiting to be hacked, too.
Silicon Republic: Major brute force attack against WordPress Under Way (Note: The Limit Login plugin suggested will not prevent these attacks because they come from multiple IP addresses).
Matt Mullenweg (WordPress co-founder): Passwords and brute force