As Microsoft have experienced over the last couple of decades, with popularity comes the menace of hackers and other nefarious people targeting your platform in an attempt to breach security. WordPress is now estimated to be running on around 17% of the world’s websites and a new botnet of “tens of thousands” of individual computers has been reported to have been attempting to brute-force users admin accounts.
Observers speculate that the attack is an attempt to build a formidable botnet of compromised WordPress accounts that is likely to be used in a much larger attack. The botnet attempts to login with the (old default) “admin” username and thousands of common passwords. Web host HostGator said it had seen more than 90,000 IP addresses involved in the attack. “The attack is well organized and very distributed,” engineer Sean Valant stated on the company’s Gator Crossing blog.
As of WordPress 3.0, which released almost three years ago (time flies!), users have been able to pick a custom username on installation. This should mean that the majority of new WordPress websites no longer use the default “admin” username that this botnet has been targeting. However, for many users pre-3.0 update, the default admin account has probably never been changed.
Matthew Mullenweg, a founding developer of WordPress, has commented on the situation, recommending that users should change this default “admin” username if they haven’t already done so, set a strong password, and make sure you’re up-to-date on the latest version of WordPress. This, he states, should put you “ahead of 99% of sites out there and [mean you will] probably never have a problem”. This would also mean that you can avoid shelling out for costly “solutions” that many companies will try and advertise as needed, when they are not.
This type of attack is of course not limited to WordPress, but any account that uses common usernames and/or passwords. Users would be advised to use combinations of lower and uppercase characters as well as numbers and symbols for their passwords and change them on a regular basis. You should also avoid using the same password on multiple websites.
Thanks for reading,