There has been news lately of a distributed attack against WordPress sites. A growing botnet has been running dictionary attacks against sites powered by WordPress, in effort to gain access to the the admin panel and infect the server. As is usually the case with botnets, infected servers are assimilated into the pool of compromised systems that make up the botnet and put to use for nefarious purposes such as DDoS attacks.
It’s important to note that this is not a WordPress security flaw, but rather an attempt to systematically guess passwords.
The attacks consist of simple POST requests to wp-login.php with a supplied username of admin and one of many simple, insecure passwords. I’ve noticed plenty in my logs, including rainydays, sophie1, and wordpress. The requests come from a rotation of IP addresses in the botnet, making it difficult to block them outright.
It’s easy enough to protect yourself from the attacks, providing you follow some simple best practices.
1. Get Rid of the Admin User
Historically, every WordPress installation would come with an administrative user named admin, which was created during the setup process. In more recent versions, the setup screen prompts you to choose your own username instead of providing a default. Check the Users screen in your WordPress backend to see if a user named admin exists. If it does, you should replace it with a profile that has a unique name, ensuring that the new account has administrative privileges.
Having a user account with that default name is a bad idea, because numerous attacks over the years have operated under the assumption that the operators of many WordPress sites will have been too lazy to change it. The current attack only tries passwords for a user named Continue reading →admin, as well, so ensuring that such a user does not exist will go a long way toward protecting your site.
