Back in April (2013), a MAJOR distributed Brute Force Login attack was perpetrated on every server where WordPress was installed. This was an on-going and highly-distributed, global attack across virtually every web host in existence that went on for weeks.
The attack was well organized and over 90,000 IP addresses were involved in it.
Statistics and research showed that the number of such attacks on sites tripled that month.
Should You Be Concerned?
Absolutely. Because the the biggest WordPress vulnerability is you. While this attack was the biggest concerted action seen to date, hackers are constantly on the lookout for weaknesses in blogs that they can exploit. Here are some stats:
Far too many people use weak passwords for their sites and you’d be surprised just how many blogs out there use “admin” as their username. So you, as a WordPress user have to do your part in choosing a blog username and password that are strong. That means using long strings (8+ characters) with a mix of upper and lowercase letters, numbers and symbols like @, #, $, *, etc. (I do this in the blogs I build here).
Always keep a record of your usernames and passwords so you can copy and paste them into your blog login page. Then look at adding some security plugins to your site to better protect it (again, this is something I routinely do on the blogs I build for you).
How Do You Know If Your Blog Has Been Hacked?
The obvious clue is if you see a “Hacked By” message on your blog’s home page. Other attacks are more subtle – maybe your blog looks fine but some malicious code has been injected onto it, infecting the PC of everyone who visits your site.
One way of spotting this is if you’ve found it difficult to log into your blog in the last few days or seen some other odd behavior with it? That could be because a hacker has changed the blog login credentials.
Another clue is if your blog is very slow, especially when logging in. In this case, it’s possible that your blog is under attack or that your webhost’s servers are under attack and they’re taking some remedial action to mitigate any damage – this may include temporarily blocking webmasters from logging into their sites.
Here’s what Hostgator had to say about what they were doing during the April attack:
We are taking several steps to mitigate this attack throughout our server farm, but in the same breath it is true that in cases like this there is only so much that can actually be done. The servers most likely to experience service interruptions will be VPS and Dedicated servers hosting high numbers of WordPress installations, due to the incredibly high load this attack has been seen to cause.
Here are some articles relating to the attack that were posted on various sites. They’re worth reading if you want to know more about the attack:
- Global WordPress Brute Force Flood – posted on Hostgator
- Mass WordPress Brute Force Attacks? – Myth or Reality – posted on Sucuri
- WordPress Brute Force Attack – posted on Hosting Discussion Forum
- Brute Force Attacks Build WordPress Botnet – posted on Krebs On Security
- Major brute force attack against WordPress underway – posted on Silicon Republic
Securing Your WordPress Blogs
So you can’t be complacent about your WordPress sites. It’s easy to accept default settings and simply use the “admin” username and a ridiculously easy password (like “123456“) when installing WordPress through your cPanel with Fantastico or Softalicious.
You need to not just think of your blog as simply “yours” but you should also have an attitude of responsibility towards your readers. You wouldn’t want your PC to get infected by visiting someone else’s blog so you should care that your visitors aren’t compromised by a visit to your blog.
The blogs I build all use premium security plugins and other strategies to thwart hack attacks. If you’ve ever lost a blog to a hack or spent the time recovering from one, you’ll know that it can be a costly business; you either lose a lot of time repairing a blog and/or you lose income because a blog is no longer earning money or worse, is lining the hacker’s pocket.
So take WordPress security issues seriously. If you want to find out more about my own experiences and how to protect and recover blogs from attacks, you can always read my WordPress Defender book.
Next Article: Review of The SecureScanPro WordPress Security Plugin
Filed under: WordPress Security