WordPress Users – Your Admin Password May Get Stolen
Hackers Use Large Botnet To Gain Access.
If you are using WordPress, it would be a good idea to use a very strong password and make sure your username is not ‘admin’. There is a brute Force dictionary-based attack that aims to find the password for ‘admin’ account that every WordPress site sets up by default.
According to industry sources, this is a very well-organized and very distributed attack it is believes that around 90,000 IP addresses are currently involved. Successfully exploited sites get a backdoor installed that provides attackers with ongoing access to the WordPress site, regardless of whether a user subsequently changes the password guessed by attackers. Exploited sites are then used to scan for WordPress installations, and launch the same type of attack against those sites.
According to CloudFlare, the hackers control about 100,000 bots. The CloudFlare team believes that the attaker is currently using a network of relatively low-powered home PCs, but the aim is “to build a much larger botnet of beefy servers in prepration for a future attack”. Home PCs can be the staging ground for a larger denial-of-service attack, but servers have access to far more bandwidth and can hence push out far larger amounts of traffic.
Some of the measures you could take to protect your WordPress sites are:
- Choose a very strong password – which is always a good idea.
- Change frequently used admin-level credentials
- Install a number of WordPress plugin like wp-fail2ban , Lockdown WP Admin, better WP Security, BulletProof Security or simply by hardening your WP by providing access to the WordPress admin console, to approved IP addresses.
- WordPress founder Matt Mullenweg notes in a blog post that changing your ‘admin’ username to something a bit more obscure may be your best defense given that the hackers have 90,000 IPs at their disposal.