WordPress is one of the most widely used blogging platforms, and right now it’s under brute force attack via a large botnet. In a recent post Matt Mullenweg posted about the recent attack on WordPress sites. This is a botnet attack and is performing brute force attack using default WordPress login (admin). Let me first explain what botnet is, and how it works.
What is Botnet attack:
Here are few terms you should know:
- Bot master: Usually the hacker who operates all infected computer.
- Zombies computer/Bot: System which is infected by the Botmaster, and helps in spamming. Usually, owner of computers are unaware of the fact, that they are compromised. It could be anyone computer, including yours.
Usually a hacker, first hacks a large number of system spread on different geographical location, and then he uses these compromised system to run attacks like Denial of service attack, Brute-force attack, Email spam and much more.
The major problem with Botnet attack is, it’s hard to block access via I.P. blocking method, as hacker have access to the different I.P range, and it will be virtually impossible to block all I.P.
Preventing WordPress brute force attack:
According to Matt, this recent botnet has access to 90,000+ I.P., and these systems are being used to run a brute force attack. Brute force attack is a method of trying all possible combination of dictionary and non-dictionary words to login to a system. I have already talked about Limit login attempt plugin, but it blocks individual I.P., in this botnet attack, hackers are running the attack using 90,000+ I.P., so such plugins like Limit login will not be an effective solution.
Here I’m sharing few things which every WordPress users should immediately do to secure his WordPress blog against this brute force attack:
Change WordPress Login URL:
The best way to prevent hackers from brute forcing your blog is by hiding your WordPress login URL. You can use WPS hide login plugin to rename your wp-admin URL to something like domain.com/wedfweig which is impossible for a hacker to guess.
Once you have installed & activated the plugin, go to Settings > General to configure your new WordPress login page
Change WordPress Default username:
When you install WordPress, you have an option to select your username. By default, WordPress uses “admin” as username, and I have already explained why you should not use default username. If you are still using WordPress username as “admin,” you should immediately change it to a custom username. Here you can find ways to change your WordPress default username (note: WP optimize plugin method doesn’t work anymore).
Do remember, the point here is: You should not have “admin” username on your blog. This means, don’t just create a new user with admin privilege and leave the admin username as it is. You have to delete a user with username “admin.”
Use a Complex password:
This rule applies to every web property you have. Use a complex password using alphabet, numeric and special character (#&%^@). This makes it hard for a brute force attack to crack your password. Here are few guides to help you create a smart password for your WordPress blog:
Enable two-step authentication:
Cloudflare which is a free CDN service has added a rule to detect the signal of such attack and prevent your website from attack. You can read about it here, and this feature if also available on the free version of Cloudflare.
HostGator hosting users can use this guide to safeguarding their WordPress blog from brute force attack. There are many WordPress security plugins out there, but for now, I would recommend using Better WP security plugin.
None the less, ensure that you are taking a timely backup of your WordPress blog. That means a complete backup of your database and wp-content folder, to ensure faster recovery once your blog is affected. I hope you take suggested measures to ensure the safety of your WordPress blog. If you find this article useful, do consider sharing it on Facebook and Google plus.