Your blog under attack!
You could be vulnerable, here’s what to do about it. WordPress Security
Hackers are attacking WordPress sites. If you have a blog for your business there is a high chance that you are using WordPress, one of the most popular blogging platforms that currently hosts over 64 million websites.
According to server hosts Cloudflare and Hostgator the platform has been attacked by a botnet of “tens of thousands” of individual computers since last week. (A botnet is a network of individual computers in homes and offices that are being controlled by hackers or criminal gangs).
As to the why, Cloudflare made the following post on their blog:
There is currently a significant attack being launched at a large number of WordPress blogs across the Internet. The attacker is brute force attacking the WordPress administrative portals, using the username “admin” and trying thousands of passwords. It appears a botnet is being used to launch the attack and more than tens of thousands of unique IP addresses have been recorded attempting to hack WordPress installs.
One of the concerns of an attack like this is that the attacker is using a relatively weak botnet of home PCs in order to build a much larger botnet of beefy servers in preparation for a future attack. These larger machines can cause much more damage in DDoS attacks because the servers have large network connections and are capable of generating significant amounts of traffic
The main vulnerability here is the lax wordpress security by the users – a very large percentage whom have not changed the default username setting “admin” and combine that with a weak password, all of which makes it much easier for the attacks to succeed.
The hackers program tries to access WordPress accounts through 1,000 common passwords and “admin” combination. This tactic will not work against smart users however enough people still use easy-to-guess passwords that makes it productive for the hackers.
Improve your WordPress Security – Get protected
WordPress founder Matt Mullenwag posted on his blog suggested changing default usernames as an additional step to protect their WordPress accounts. NB there are additional authentication steps for WP.com sites. (Click the links below for details on how to make changes to your user name and what makes a strong password)
If you still use “admin” as a username on your blog, change it, use a strong password, if you’re on WP.com turn on two-factor authentication, and of course make sure you’re up-to-date on the latest version of WordPress. Do this and you’ll be ahead of 99% of sites out there and probably never have a problem.
These are simple but effective steps to take. Go check your blog now and make the appropriate changes. You should also look at what version of the platform you are running and upgrade to the latest version.