Over the past 24 hours it has come to our attention that a large network of over 90,000 IP addresses have ramped up their use of a brute force attack to target WordPress blog installations. According to several published reports, the botnet is attempting to gain access to WordPress installations by using the default Admin user name and trying multiple passwords. By default, WordPress allows unlimited login attempts either through the login page or by sending special cookies. This allows passwords (or hashes) to be brute-force cracked with relative ease.
Popular hosting providers CloudFlare and HostGator are reporting that the scale of the current attack is much larger than what they typically experience, with some reports claiming that they are blocking 60 million requests per hour during peak times. After reviewing our logs we’ve already noticed several failed login attempts using the username Admin.
What can I do to protect my WordPress installation(s)?
- If your username is currently set as Admin, change it to something custom. The easiest way is probably by using something like the Better WP Security WordPress plugin.
- Change/strengthen your password. Your password should include capital letters and symbols (%+!#)
- Install a plugin to limit login requests. We use the appropriately titled Limit Login Attempts WordPress plugin, but there are several other plugins with similar functionality.
Once that is done, sit back and hope for the best!
Update: HostGator has provided additional tips.