If you follow technology news you’ll know that there’s been a very large attacking ongoing against self-hosted WordPress blogs. While the worst of the attack may have stopped for now it’s still ongoing.
Our technical team released some figures that show the scale of the attack. And we’re not that big a hosting provider when you compare us to the “big boys” such as GoDaddy. Their numbers would be several magnitudes higher.
The attack is basically a “brute force attack” ie. using computers / servers to generate thousands of possible username / password pairs in the hope of gaining access to the WordPress control panel. By default when you install WordPress the administrator username is set to “admin”, so the hackers only have to work on the password. They’ve already got the username for most WordPress installs.
And yes, I’ll have to admit, quite a few of my WordPress installs were using the default administrator username as well. Fortunately (fingers crossed!) none of my installs had very weak passwords, so, as far as I know, none of them were compromised.
But that wasn’t from lack of trying. This site alone has had several hundred hack attempts in the last couple of days that I know of (I started logging failed login attempts a couple of days ago).
If you’re running WordPress installs there’s a number of things you can do. Some of them will work better than others ..
Obvious things ..
Don’t use the default “admin” account. If you have it already then create a new user with administrator privileges and delete the old one. You can reassign all the posts from the old admin user to the new administrator account you’ve created.
Use a strong password. There are plenty of password generators available online or if you want you can use a password locker to help handle them for you.
There are also a lot of wordpress plugins that can help tighten up the security of your WordPress install by changing some of the default settings. Just bear in mind that some of the more comprehensive tools may impact your site’s ability to work with certain themes, plugins and 3rd party services.
And make sure both your WordPress core and plugins AND themes are kept up to date. Seriously.