Matt Mullenweg (WordPress founder) recently posted in his blog "Right now there’s a botnet going around all of the WordPresses it can find trying to login with the “admin” username and a bunch of common passwords, and it has turned into a news story (especially from companies that sell “solutions” to the problem)..."
Here's what we know. We currently lease a large, high speed server for the 53 WordPress websites we manage for our clients. On Thursday April 11, around 12 noon we noticed the server response time was slightly slower than usual. When we checked our server load we found it to be significantly higher than normal. Upon further investigation we noticed a large number of hits to the file wp-login.php on nearly every website on the server. We immediately called our server farm. We were informed this was occurring on every server in the farm with WordPress installations. Needless to say we dropped everything to ensure all of our wordpress installations were secure.
While there have been many reports about these attacks floating around the internet, it wasn't until today we received verification from credible sources as to the nature of these attacks. Around 6:00am ET today, BBC News released a report stating "Wordpress has been attacked by a botnet of 'tens of thousands' of individual computers since last week, according to server hosters Cloudflare and Hostgator." This evening, NBC news released its report stating "WordPress, a popular blogging platform used by individuals as well as big businesses including UPS and eBay, is the target of a widespread botnet attack." NBC news continues by saying "The vulnerability that allows hackers to get into WordPress accounts and take them over for other purposes: user accounts where the word "admin" is the username. The advice for immediate action: Change admin to a different — and much stronger — username immediately." Unfortunately, while this is great advise it will not completely protect your WordPress installation from this attack.
The clincher is the alert we just received from The Department of Homeland Security's Computer Emergency Readiness Team (US-CERT). In their alert, The Department of Homeland Security stated "US-CERT is aware of an ongoing campaign targeting the content management software WordPress, a free and open source blogging tool and web publishing platform based on PHP and MySQL. All hosting providers offering WordPress for web content management are potentially targets. Hackers reportedly are utilizing over 90,000 servers to compromise websites’ administrator panels by exploiting hosts with “admin” as account name, and weak passwords which are being resolved through brute force attack methods." They go on to say "CloudFlare, a web performance and security startup, has to block 60 million requests against its WordPress customers within one hour elapse time. The online requests reprise the WordPress scenario targeting administrative accounts from a botnet supported by more than 90,000 separate IP addresses. A CloudFlare spokesman asserted that if hackers successfully control WordPress servers, potential damage and service disruption could exceed common distributed denial of service (DDoS) attack defenses. As a mitigating strategy, HostGator, a web hosting company used for WordPress, has recommended users log into their WordPress accounts and change them to more secure passwords."
While we have much respect for Matt Mullenweg, his attempt to downplay this attack is both foolish and dangerous. This attack is real and widespread. If you have a website powered by WordPress, you need to take steps to secure your installation now! Here is the minimum you should do to secure you website:
- Make sure your WordPress installation and all of your installed plugins are updated.
- Make sure your administrator’s password is secure. We recommend at least a twelve character password with at least one lower case letter, at least one capital letter, and at least one number.
- If you have a user account with the username “admin”, create a new administrator account with a different username and remove the old “admin” account.
- Install the security plugin WP Better Security. Activate the plugin. Go to the settings page and set up the plugin with the "basic" settings.
Completing the above steps will protect your website from being hacked, however do to the large number of ip address used by the hackers, you will still be vulnerable to hacking attempts. As we stated in our previous posts, the hacking attempts can put an extremely high load on your server causing your website to load slowly, and possibly crashing the server. The WP Better Security settings need to be tweaked to further protect your website from this threa. We will post the details of these tweaks in an update tomorrow.
Our reply to Matt, there is a real news story here because the internet is facing a serious threat, and we are not selling a solution. The solution is in the above steps and the FREE plugin WP Better Security. Also, we do not have any association with the developers of the above plugin. We just know it works and want to help protect the internet for everyone.