After a quick hit last week and a slow down for a few days it seems the brute force attack that is targeting WordPress based sites has stepped up its pace once again.
Now attacks on websites, including WordPress based ones, are nothing new. Everyday there are attempts on sites to gain unauthorized access just as there are to get your personal info through various phishing methods. Anyone who maintains or is responsible for a website should be making sure it is up to date each and every day. They also need to ensure the users of the website, especially those who have credentials that allow them a higher level of access to the operations of the site, practice good security awareness when it comes to the passwords they use and protection of their own systems they use to access the site.
The news of this current, apparent large scale attack, is all over the web and has even resulted in comments from Matt Mullenweg the founding developer of WordPress. Here are several of the stories popping up about this attack;
- Passwords and Brute Force (Matt Mullenweg)
- Patching the Internet in Realtime: Fixing the Current WordPress Brute Force Attack (CloudFlare)
- Global WordPress Brute Force Flood (HostGator)
- Brute force attacks on WordPress continue as CloudFlare fends off 60m requests in 1 hour (The Next Web)
- Huge attack on WordPress sites could spawn never-before-seen super botnet (ARS Technica)
So what steps can you take to help protect your WordPress based site? Here are a few mentioned in the above stories about the current attack and a couple I have added:
- Do not use the default admin user name for your main admin account on any installation
- No easy passwords. Used randomized passwords that use a variety of upper case, lower case, numbers and special characters. Make them as long as your setup will allow them to be as well. If you are worried about keeping track of all of these randomized passwords then check out one of the available password managers out there. There are even WordPress plugins that will enforce strong password rules if you want to formally implement that option.
- Use a plug in that will limit multiple attempts to login with the incorrect username and password from the same IP address. Many of the above stories recommend the Limit Login Attempts plugin. The Limit Login Attempts will even email the site admin if anyone gets blocked trying multiple login attempts.
- Review the list of registered users on your site and if they were previously granted higher level access to the site and have become inactive then downgrade their user rights level to the lowest level. If they miss that access then without any doubt they will be in touch to ask you to restore it.
- Make sure your WordPress site is running the latest release of the software. The WordPress developers are very conscientious about addressing security issues quickly once they have been identified.
The more steps you take to secure your site and practice good security awareness the safer you will be out there on the net.