The Next Web reports:
Hosting providers around the world are seeing a massive increase in brute force attacks against WordPress and Joomla sites. Attackers are looking to gain access to and compromise accounts, but failing that, they are slowing down their targets or even rendering them unavailable as they exhaust the sites’ resources.
Sucuri, a security firm specializing in website malware, published findings from their logs that showed a sharp increase in the number of blocked attacks on websites – from 30 to 40 thousand a day to 77,000 average per day and up to 100,000 in recent days. Their logs also showed attempts to log into websites with usernames of admin, Admin, administrator, root, and test with passwords like 123456, admin, and password.
Matt Mullenweg, a founding developer of WordPress, had this to say:
Right now there’s a botnet going around all of the WordPresses it can find trying to login with the “admin” username and a bunch of common passwords, and it has turned into a news story (especially from companies that sell “solutions” to the problem).
Matt continues with recommendations on what to do now. He suggests changing the “admin” username, using a strong password, and making sure WordPress and all plugins are up to date.
What am I doing about all this you wonder! Well, I’ve already done it. Last night, a late night I might add, I changed every single WordPress website that High Aspirations, Inc. maintains or has in development to no longer use “admin” as the administrator account. I also changed all the passwords to a ridiculous combination of upper and lower case letters, numbers, and symbols. All clients will be emailed with the new account information later today.
My next step will be to update WordPress and any plugins. I’m pretty sure all websites are already runing the latest version of WordPress, but I know there have been some plugins updated recently. As you know, we do this on a regular basis for all clients on maintenance. It is now a priority job and will be completed as soon as possible.
If your website isn’t on maintenance and you would like us to take care of changing the administrator account, updating the password, and updating the site’s software, please do not hesitate to contact us.
If you’d like to read more about the brute force attacks and the botnet currently running wild on WordPress websites, please check out the following articles, the first three of which are referenced in this post:
- Check your security settings: Brute force attacks against WordPress and Joomla sites have tripled at The Next Web
- Mass WordPress Brute Force Attacks? – Myth or Reality at Sucuri
- Passwords and Brute Force by Matt Mullenweg
- Brute Force Attacks and Their Consequences at Sucuri