WordPress is one of the most widely used blogging platform, and right now it’s under brute force attack via a large botnet. In a recent post Matt Mullenweg posted about the recent attack on WordPress sites. This is a botnet attack, and is performing brute force attack using default WordPress login (admin). Let me first explain what botnet is, and how it works.
What is Botnet attack:
Here are few terms you should know:
- Bot master: Usually the hacker who operates all infected computer.
- Zombies computer/Bot: System which are infected by the Bot master, and helps in spamming. Usually owner of computers are unaware of the fact, that they are compromised. It could be anyone computer, including yours.
Usually a hacker, first hack a large number of system spread on different geographical location, and then he uses those compromised system to run attacks like Denial of service attack, Brute force attack, Email spam and many more. You could see this image to understand how Botnet model works. If you wish to learn more about other hacking methods, you should check out how hackers hack passwords.
The major problem with Botnet attack is, it’s hard to block access via I.P. blocking method, as hacker have access to different I.P range, and it will be virtually impossible to block all I.P.
Preventing WordPress brute force attack:
According to Matt, this recent botnet have access to 90,000+ I.P., and these systems are being used to run a brute force attack. Brute force attack is a method of trying all possible combination of dictionary and non-dictionary words to login to a system. I have already talked about Limit login attempt plugin, but it blocks individual I.P., in this botnet attack, hackers are running the attack using 90,000+ I.P., so such plugins like limit login will not be an effective solution.
Here I’m sharing few things which every WordPress users should immediately do to secure his WordPress blog against this brute force attack:
Change WordPress default username:
When you install WordPress, you have an option to select your username. By default WordPress uses “admin” as username, and I have already explained why you should not use default username. If you are still using WordPress username as “admin”, you should immediately change it to a custom username. Here you can find ways to change your WordPress default username (note: Wp optimize plugin method doesn’t work anymore).
Do remember, the point here is: You should not have “admin” username on your blog. This means, don’t just create a new user with admin privilege, and leave the admin username as it is. You have to delete user with username “admin”.
Use a Complex password:
This rule applies to every web property you have. Use a complex password using alphabet, numeric and special character (#&%^@). This makes it hard for a brute force attack to crack your password. Here are few guides to help you create a smart password for your WordPress blog:
Enable two-step authentication:
Cloudflare which is a free CDN service have added a rule to detect the signal of such attack, and prevent your website from attack. You can read about it here, and this feature if also available on free version of Cloudflare.
Hostgator users can use this guide to safeguard their WordPress blog from brute force attack. There are many WordPress security plugins out there, but for now I would recommend to use Better WP security plugin.
None the less, ensure that you are taking a timely backup of your WordPress blog. That means a complete backup of your database and Wp-content folder, to ensure faster recovery once your blog is affected. I hope you take suggested measures to ensure the safety of your WordPress blog. If you find this article useful, do consider sharing it on Facebook and Google plus.