There has been a massive distributed brute force attack being launched the past few days against every WordPress based website at every hosting provider in the world.
Well over 150,000 different IP addresses are currently attempting to gain access to the admin user’s password in every WordPress site. By default, WordPress cannot protect itself against this type of attack, but you can protect yourself by following the tips in this email.
Here are the most important ones:
- Update WordPress to the latest version using the update function in the WordPress admin section. This is critical on so many levels they can’t all be covered in this post.
- Install the “Better WP Security” plugin in WordPress. This will add brute force detection and auto-blocking, and it will make it easy to make additional security related improvement to your WordPress site. While Arvixe, Inc doesn’t endorse any particular plugin or author or have any partnerships with them, this particular plugin has proven successful in mitigating the attack on the author’s personal WordPress blogs.
- Click on the Security tab in the WordPress admin to tweak the security settings.
- Change the admin username to something else (since the hackers are trying to guess the password for the WordPress admin account). Anything else. Not your name, definitely not Admin or admin. I personally use something to do with the subject matter of the site. MySiteAdminUser or something like this.
- Feel free to change some of the other settings while in the Security Tab like the WordPress table prefix, user id 1 or others. There are several settings that are just good practice to tweak.
- Remove every theme and plugin that you are not currently using. The fewer themes and plugins you have will mean fewer things for hackers to target in the future.
- Choose a really strong password for your admin level user. Just in case the importance of this is not realized I will say it again. Choose a really strong password for your admin level user. Passwords similar to the following:
Don’t use these… as this hits the web they will be compromised.
Overall, you are ultimately responsible for your own data. We do everything we can to mitigate attacks such as this and any other brute force or DDoS attacks as they happen. Your assistance with this by maintaining the security of your WordPress site is greatly appreciated!
You can also see our other article on WordPress Security here.