I wanted to bring this to your attention today (April 14th, 2013). A MAJOR distributed Brute Force Login attack is being perpetrated on every server where WordPress is installed. This is an on-going and highly-distributed, global attack across virtually every web host in existence.
The attack is well organized and over 90,000 IP addresses are involved in the attack.
Statistics and research are showing that the number of such attacks on sites has tripled this month.
Should You Be Concerned?
Probably. The the biggest WordPress vulnerability is you. Far too many people use weak passwords for their sites and you’d be surprised just how many blogs out there use “admin” as their username. So you, as a WordPress user have to do your part in choosing a blog username and password that are strong. That means using long strings (8+ characters) with a mix of upper and lowercase letters, numbers and symbols like @, #, $, *, etc.
Keep a record of your usernames and passwords so you can copy and paste them into your blog login page. Then look at adding some security plugins to your site to better protect it.
Has Your Site Been Affected?
Have you found it difficult to log into your blog in the last few days or seen some odd behavior with it? If so, then it’s possible that your blog is under attack or that your webhost’s servers are under attack and they’re taking some remedial action to mitigate any damage – this may include temporarily blocking webmasters from logging into their sites.
Here’s what Hostgator had to say about what they’re doing:
We are taking several steps to mitigate this attack throughout our server farm, but in the same breath it is true that in cases like this there is only so much that can actually be done. The servers most likely to experience service interruptions will be VPS and Dedicated servers hosting high numbers of WordPress installations, due to the incredibly high load this attack has been seen to cause.
Here are some articles relating to the attack that have been posted on various sites. They’re worth reading if you want to know more about the attack:
- Global WordPress Brute Force Flood – posted on Hostgator
- Mass WordPress Brute Force Attacks? – Myth or Reality – posted on Sucuri
- WordPress Brute Force Attack – posted on Hosting Discussion Forum
- Brute Force Attacks Build WordPress Botnet – posted on Krebs On Security
- Major brute force attack against WordPress underway – posted on Silicon Republic
Forever Affiliate members will know I offer a blog building service through this forum thread. I’ve added a new blog-building option to my page (link in forum thread) for building secure blogs for those who don’t know how to build such blogs.
Click Here To Learn How To Secure Your Own Blogs…
Next Article: More On The WordPress Brute Force Attack
Filed under: WordPress Security