WordPress platform used by millions of bloggers and businesses has been under massive bruteforce attack over the past week. Some are speculating whether or not this WordPress attack is just the start of something much bigger. So far according to TechNewsDaily, “90,000 WordPress blogs” have been attacked. Click here to read more.
Think a WordPress Attack Isn’t Going to Happen To You?
The primary target of entry has been the login panel, specifically those with “admin” as their username. We all know that keeping any default settings is never a good idea. So why do we do it? Are we lazy? Or do we just think that a WordPress attack is not going to happen to us?
Regardless of your answer, the events of this week need to wake up all of us. No longer can this be ignored. We need to take responsibility and secure our websites ourselves. Think of the countless hours of work that has been put in that can be demolished in seconds.
Can a Default Username Lead To a WordPress Attack?
Matt Mullenweg, one of PC World’s Top 50 People on the Web and one of the Founders of WordPress, says “almost 3 years ago we released a version of WordPress (3.0) that allowed you to pick a custom username on installation, which largely ended people using “admin” as their default username”. Read the full article here. So what’s happened? Have people forgotten or is it the huge number of new users that may never have been alerted to this problem?
Matt recommends that, “if you still use “admin” as a username on your blog, change it, use a strong password… and of course make sure you’re up-to-date on the latest version of WordPress”.
What Do Hackers Want?
One of the bigger questions with this weeks botnet kerfuffle has been around motivation. What do the hackers want? TechNewsDaily reports, “the ultimate goal of the botnet is a mystery; having administrative access to a number of blogs is not that useful in and of itself…however, a network of more than 90,000 compromised machines can wreak all sorts of havoc, especially in denial-of-service attacks”.
Preventing a WordPress Attack
InformationWeekSecurity who also reported on this story said that, “successfully exploited sites get a backdoor installed that provides attackers with ongoing access to the WordPress site, regardless of whether a user subsequently changes the password guessed by attackers…exploited sites are then used to scan for WordPress installations, and launch the same type of attack against those sites”. Read more here.
They went on to say, “thankfully, a quick solution to the attacks is at hand: ensure no WordPress site uses any of the targeted usernames, which include not just admin and Admin but also “test,” “administrator” and “root”.
WordPress Attack Incidents On the Rise
What’s really staggering are the number of attacks. Just read the statement below…
The WordPress “admin” attacks aren’t new, but they’ve recently tripled in volume. “We were seeing 30 to 40 thousand attacks per day the last few months. In April 2013, it increased to 77,000 per day on average, reaching more than 100,000 attempts per day in the last few days” said Sucuri CTO Daniel Cid in a blog post. That means that the number of brute force attempts has more than tripled” (InformationWeekSecurity).
Secure Your Site Against WordPress Attack
We need a solution and we need one fast. Free plugins are just not going to cut it any longer. It’s time to look to the experts and let them help. PageOneTraffic’s new product, SecureScanPRO, takes care of the problem.
SecureScanPRO scans, fixes and prevents your WordPress sites from being hacked. It is the best solution for non technical WordPress users. It fixes common issues with a simple click and has a built in bruteforce attack defence system.
Here are the benefits:
- It scans your sites for weaknesses.
- Provides instant 1 click fixes for 12 of the most serious issues.
- Automatically checks core WordPress files against wordpress.org for attacked files.
- Scans and Emails you if anything has changed.
- Emails you if anyone tries to hack your site.
- Automatically bans repeated logins.
- Presents a captcha to the login interface to stop bruteforce bots.
Available here http://www.securescanpro.com/
Read More:
InformationWeekSecurity at http://www.informationweek.com/security/attacks/wordpress-hackers-exploit-username-admin/240152864
Matt Mullenweg at http://ma.tt/2013/04/passwords-and-brute-force/
TechNewsDaily at http://www.technewsdaily.com/17748-hackers-attack-wordpress-blogs.html