If you haven’t heard in the news already, hackers have been laying a massive, global siege on WordPress sites across the Internet. Their main focus is to exploit the default “admin” accounts WordPress sets up for you when you first start out. If these hackers gain access to your site, this could pave their way to potentially take control of your server.
Host Gator has run analytical reports and believes around 90,000+ IP addresses have been involved in this dictionary attack. According to TechCrunch, CEO Matthew Prince of CloudFlare, believes these hackers are using 100,000 bots strong for their strikes.
CloudFlare believes these attacks are being conducted using only low powered home PCs but feels these hackers’ intentions are to build a much larger army of botnet servers in order to carry out larger attacks in the future.
Steps to avoid your site from being compromised:
1. Choose a stronger password.
2. There are several WordPress plugins you can install to help ward off these hacks
An email was issued this morning from Mark Maunder, CEO of Wordfence also suggesting to “disabled and deleted all unused themes and plugins”. Read full email below.
Dear WordPress Publisher,
I'm sure you've seen the news reports during the last 72+ hours about a "massive"
"global" "distributed" brute force attack on WordPress systems.
Brute force attacks are ongoing, and this is simply an increase in frequency. To
protect yourself, make sure all default accounts like "admin" have been deleted
or renamed and that your passwords are very difficult to guess. A brute-force attack
is a relatively unsophisticated attack where one or more remote machines try to
guess your password.
The more successful attacks are attacks where a back-door known only to a hacker
(a zero day vulnerability) is exploited to gain access to your system without
logging in. The Timthumb vulnerability which I discovered and fixed last year is
an example of this. I haven't seen any reports of a new "zero day" vulnerability
being exploited in this attack.
The nature of the attack does suggest that a large portion of the brute force
attacks currently underway may be originating from an individual or a single group.
If successful this will result in a single individual or group having access to a
large distributed network of compromised WordPress servers on relatively high
bandwidth links. They can then launch further attacks from this platform. However,
whether the attacks are being orchestrated by one person or one group should not
affect how you protect yourself.
In this case:
1. Make sure your "admin" account has been renamed.
2. Make sure all your passwords are difficult to guess.
3. Make sure you've disabled and deleted all unused themes and plugins.
Don't be alarmed if you see an increased flow of login attempts on your Wordfence
live traffic screen (The Logins and Logouts panel). As long as your passwords are
hard to guess and you've removed the "admin" account, you'll most likely be just
fine. If you're bored, you can manually block each malicious IP address using
Wordfence, or even block the originating Networks. But I'm not doing this on my
personal sites because I have strong passwords and no admin account.
Wordfence Creator & Feedjit Inc. CEO.
PS: If you aren't already a member you can subscribe to our WordPress Security and
Product Updates mailing list here. You're welcome to republish this email in part or
in full provided you mention that the source is www.wordfence.com. If you would
like to get Wordfence for your WordPress website, simply go to your "Plugin" menu,
click "add new" and search for "wordfence".
Despite this current attack, WordPress is still a leading website platform for several industries. If you need quick guidance as to how to change your username from admin to something new:
To rename your WordPress ‘admin’ user:
- Sign in as ‘admin’.
- Create a new user using the steps below.
- Choose a hard-to-guess username, but don’t make it so difficult that you’ll forget it.
- Make that user’s role “administrator”.
- Choose a password that has upper and lower-case letters and numbers in it. Symbols are OK too. Never use the word ‘password’ in your password, even if it has a different case and includes numbers.
- Click “Add new user”.
- Sign out as ‘admin’.
- Sign in as the new user.
- Delete your old ‘admin’ user and assign all posts/pages/comments to your new admin user.
- Congratulations, you now have a more secure WordPress system.
Instructions provided by Wordfence
If you need further help, feel free to contact us and we’ll be happy to assist you.