Important Security Update: Global Brute Force WordPress Attack
WordPress remains one of the most secure website solutions (if secured properly by our team of trusted IT security specialists). Trust our team of trusted IT security specialists to make sure your WordPress website is secured.
WordPress sites across the web have recently been targeted by an extensive distributed brute force attack. The attack attempts to gain access to the administrator account on WordPress sites by systematically running through a variety of password iterations. Since the attack originates from thousands of different IP addresses, it is difficult to block at the network level.
Last night the attack impacted performance for several websites across the Internet, regardless of whether WordPress was installed on their site. Our IT security and support teams have worked, and have taken several proactive measures to mitigate the security threat for those client websites our team protects. In some cases, we temporarily disabled the ability to log in to WordPress sites that were under attack – which also protected these sites from being compromised. As of this morning, April 11, 2013, all servers are back to normal performance levels and login functionality has been restored.
If you have installed WordPress on your site please take a minute or two to make sure your site is protected against attacks like this one. Here are some basic security tips:
- The easiest thing you can do to increase the security of your site is to change both the admin username and password. By default, the administrator login name is set to “admin” – and most brute force scripts have this ID and some basic variations (e.g. administrator, root, test, etc…) hardcoded as the IDs they attempt to break into. Change the username for your administrator account to something obscure.
- Make sure your password is strong. You know the drill: more than 8 characters, letters and numbers, no English words, no dates, mixture of capitals and lower case. Consider using a random password generator and a secure password manager to store it so you don’t have to memorize it.
- Install a security enhancing plug-in. The core WordPress application lacks some basic security features, such as the ability to limit the number of failed login attempts. Fortunately, you can add functionality like this via some popular plug-ins:
- Bad Behavior: http://wordpress.org/extend/plugins/bad-behavior/
- Better WP Security: http://wordpress.org/extend/plugins/better-wp-security/
- Limit Log-in Attempts: http://wordpress.org/extend/plugins/limit-login-attempts/
Our IT service professionals will stay vigilant and will continue to proactively respond to any security threats as they arise. Although this attack is particularly extensive, it is unfortunately not uncommon. The single most important thing you can do to protect any aspect of your account (e-mail, FTP, other web apps, etc…) is to use very strong passwords, and insist that your clients / users do the same.
Do you have any questions? Contact our team of IT professionals today.