Over the past few days, hackers have been running a ‘brute force’ attack on thousands of WordPress sites across the world and this has naturally caused some panic amongst WordPress users. So we thought it would be helpful to quickly explain what this attack is, why WordPress has been targeted, how it might affect you and how to protect your WordPress website against it.
What is a Brute Force Attack?
A brute force attack is when a hacker tries to access your website by trying to guess your username and password. By using a computer to automatically run the attack, hackers can try a new password every second, therefore running through thousands of combinations in the hope of gaining entry. If the hacker gets lucky, then they have full access to your WordPress control panel but if they fail then your site is broadly unaffected.
Why has WordPress been targeted?
There are two broad reasons why hackers would choose to target WordPress for this type of attack:
- WordPress is the world’s most popular CMS, powering 17% of the web. If you want to wreak havoc on the web, then you will naturally attack the most popular system
- The default admin username for all WordPress sites is ‘admin’. Therefore, the hackers only need to guess the password and not the username. Similarly, the default login url is yourwebsite.com/wp-admin, so they even know where to go to login.
How might the WP botnet attack affect you?
There are a few ways that this attack can affect you:
- If the hackers successfully guesses your username and password, they can login to your website and execute their evil plan, whatever that might be
- If the attack is on a large scale, using thousands of computers to try to log in to your site in quick succession, it could overload and therefore crash your server
- Your hosting company might lock down the WordPress login page, inadvertently locking you out as well as the hackers
How can you protect your website against the botnet attack?
Protecting yourself against this attack is relatively simple, as it is really just a case of removing yourself from the pool of easy targets that the hacker is hoping to exploit. Here are a few suggestions:
- Don’t use ‘admin’ as a username on your site. When you create a new WordPress site you can choose any admin username, so be imaginative. If you created the site already, simply create a new admin with a different username, log in as the new administrator and then delete the original ‘admin’ account. Be sure to tick the option to assign their content to the new admin and not delete it.
- Use a strong password. It sounds obvious, but if your password is ‘password123’ then you are asking for trouble.
- Change the WordPress login url from /wp-admin/ to something else. That way you minimise the chances of the hackers even finding the login page. This can be done with plugins like Stealth Login Page and Better WP Security.
- Use 2 factor authentication. This means that in addition to your username and password, you also have some form of security token like you do for your online bank. WordPress.com has recently introduced this feature, and self-hosted WordPress users can easily do this with plugins such as Duo, Google Authenticator or Authy.
- If your hosting company has locked you out, talk to them and find out how to get it unlocked. Most probably they will ask you to apply one or all of the above tips.
WordPress founder Matt Mullenweg has stated that “Most other advice isn’t great – supposedly this botnet has more than 90,000 IP addresses, so an IP-limiting or login-throttling plugin isn’t going to be great (they could try from a different IP [address] a second for 24 hours)”
We hope that helps put your mind at ease and helps ensure that your WordPress sites are well protected.
If you want to read more about this attack, see the BBC article here.