Matt Mullenweg (WordPress founder) recently posted in his blog “Right now there’s a botnet going around all of the WordPresses it can find trying to login with the “admin” username and a bunch of common passwords, and it has turned into a news story (especially from companies that sell “solutions” to the problem)…”

Here’s what we know. We currently lease a large, high speed server for the 53 WordPress websites we manage for our clients. On Thursday April 11, around 12 noon we noticed the server response time was slightly slower than usual. When we checked our server load we found it to be significantly higher than normal. Upon further investigation we noticed a large number of hits to the file wp-login.php on nearly every website on the server. We immediately called our server farm. We were informed this was occurring on every server in the farm with WordPress installations. Needless to say we dropped everything to ensure all of our wordpress installations were secure.

While there have been many reports about these attacks floating around the internet, it wasn’t until today we received verification from credible sources as to the nature of these attacks. Around 6:00am ET today, BBC News released a report stating “WordPress has been attacked by a botnet of ‘tens of thousands’ of individual computers since last week, according to server hosters Cloudflare and Hostgator.” This evening, NBC news released its report stating “WordPress, a popular blogging platform used by individuals as well as big businesses including UPS and eBay, is the target of a widespread botnet attack.” NBC news continues by saying “The vulnerability that allows hackers to get into WordPress accounts and take them over for other purposes: user accounts where the word “admin” is the username. The advice for immediate action: Change admin to a different — and much stronger — username immediately.” Unfortunately, while this is great advise it will not completely protect your WordPress installation from this attack.

The clincher is the alert we just received from The Department of Homeland Security’s Computer Emergency Readiness Team (US-CERT). In their alert, The Department of Homeland Security stated “US-CERT is aware of an ongoing campaign targeting the content management software WordPress, a free and open source blogging tool and web publishing platform based on PHP and MySQL. All hosting providers offering WordPress for web content management are potentially targets. Hackers reportedly are utilizing over 90,000 servers to compromise websites’ administrator panels by exploiting hosts with “admin” as account name, and weak passwords which are being resolved through brute force attack methods.” They go on to say “CloudFlare, a web performance and security startup, has to block 60 million requests against its WordPress customers within one hour elapse time. The online requests reprise the WordPress scenario targeting administrative accounts from a botnet supported by more than 90,000 separate IP addresses. A CloudFlare spokesman asserted that if hackers successfully control WordPress servers, potential damage and service disruption could exceed common distributed denial of service (DDoS) attack defenses. As a mitigating strategy, HostGator, a web hosting company used for WordPress, has recommended users log into their WordPress accounts and change them to more secure passwords.”

While we have much respect for Matt Mullenweg, his attempt to downplay this attack is both foolish and dangerous. This attack is real and widespread. If you have a website powered by WordPress, you need to take steps to secure your installation now! Here is the minimum you should do to secure you website:

1. Make sure your WordPress installation and all of your installed plugins are updated.
2. Make sure your administrator’s password is secure. We recommend at least a twelve character password with at least one lower case letter, at least one capital letter, and at least one number.
3. If you have a user account with the username “admin”, create a new administrator account with a different username and remove the old “admin” account.
4. Install the security plugin WP Better Security. Activate the plugin. Go to the settings page and set up the plugin with the “basic” settings.

Completing the above steps will protect your website from being hacked, however do to the large number of ip address used by the hackers, you will still be vulnerable to hacking attempts. As we stated in our previous posts, the hacking attempts can put an extremely high load on your server causing your website to load slowly, and possibly crashing the server. The WP Better Security settings need to be tweaked to further protect your website from this threa.  We will post the details of these tweaks in an update tomorrow.

Our reply to Matt, there is a real news story here because the internet is facing a serious threat, and we are not selling a solution. The solution is in the above steps and the FREE plugin WP Better Security. Also, we do not have any association with the developers of the above plugin. We just know it works and want to help protect the internet for everyone.

If you manage or own a website on a content management systems (CMS) you know that invalid login attempts are an everyday occurrence. We see literally thousands of invalid login attempts from dozens of different IP addresses in the course of any given day. This is considered normal. However hosting providers worldwide are reporting they are seeing a systematic, well organized attack. The attacks on content management systems are well above average and often times at catastrophic levels.

This attack started on or about April 8th, but the hackers became extremely aggressive overnight on April 12th. They have already shut down 10’s of thousands of servers running WordPress. They have also affected the performance of many other servers. The attack started with WordPress installations, according to Sophos EndUser Protection (a major player in the web security industry), Joomla and Drupal website are now also getting hit.

The attack began with a botnet made up of at least 90,000 hacked home based computers. This is not a “brute force” attack like we see every day. This onslaught is using what is known as a “dictionary” attack. This is where the hacker uses a list of the most likely usernames and possible passwords and tries those in very quick succession. Even when the attack fails, the load the attacks on multiple websites puts on a server can cause it to crash.

The early indications are that hackers are installing malicious scripts in the content management systems that have been compromised. These malicious scripts turns the infected website into an attacker to hack other websites. This is the reason this attack is going viral. According to Matthew Prince, the chief executive of web hosting company CloudFlare, these hackers are causing much more damage because the infected servers have large network connections and are capable of generating significant amounts of traffic for the attackers.

If you have not already done so, we strongly recommend you take the following steps to protect your wordpress installation:

• Make sure your WordPress installation and all of your installed plugins are updated
• Make sure your administrator’s password is secure
• If you have a user account with the username “admin”, create a new administrator account with a different username and remove that old “admin” account
• Install the security plugin WP Better Security
• Other ways of securing a WordPress website can be found here; https://codex.WordPress.org/Hardening_WordPress

These additional steps can be taken to further secure WordPress websites:

• Remove README and license files. This is very important since this exposes version information
• Prevent reading of the htaccess file
• Limit access to wp-admin.php and wp-login.php to your IP address
• Move wp-config.php up one directory and change its permission to 400

We will continue to monitor this attack and we will post updates as more information becomes available.