If your site is on WordPress — pay attention! I Tweeted about this yesterday which produced a flood of questions about what was going on and “what to do”.
This month there has been a concentrated effort to go after WordPress sites with a brute force bot attack. One of my sites was caught in the beginning stages of this attack. Being my site’s are secured, the site was not hacked and this effort was only was a resource drain on my server — which caused a different set of problems.
This weekend, a large network of over 90,000 IP addresses have ramped up their use of a brute force attack to target WordPress Blog installations primarily looking for Blogs using the default username “admin”.
Change Your “admin” Username and Strengthen Your Password
If you still have a user account with the username “admin” or if you are still using that account as your primary login, this is what you need to do — right now! Everyone I work with is advised to ditch that account and setup a new “admin” with a different username. Some do; many don’t. If you still have that account in place and haven’t had your site compromised yet, you are on borrowed time.
First, login and setup a new admin account with your new username. Choose a password that is at least 8 characters long that includes: small case, UPPER CASE, numbers and special characters (^%$#&@*). Log out. Then log back in with your new admin account and delete the old.
There are a couple plugins I use that you can also add to further secure your site:
- Limit Login Attempts Plugin: Limit rate of login attempts, including by way of cookies, for each IP.
- Better WordPress Security: The easiest, most effective way to secure WordPress. Improve the security of any WordPress site in seconds.
If you want to know more and discover additional options and practices to get in place, check out this article on KrebsonSecurity Brute Force Attacks Build WordPress Botnet — everything you need to know.
At your service,