Jim's Marketing Blog

Marketing ideas to help you grow your business

WordPress botnet attack: Improve your security

If you have a WordPress blog or website, it’s important that you improve your security, as soon as possible. This post explains why and offers some tips to make your WordPress site safer and gives you links to 2 free security tools you can use.

WordPress botnet attack

Wordpress botnet, username password, distributed attack

Hosting companies worldwide are reporting a surge in attacks on WordPress sites right now. It was reported yesterday that a botnet, with an estimated 90,000 servers (and growing), is trying to log into WordPress sites by cycling different usernames and passwords.

Ars Technica reported today, that this ‘huge attack’ could create a botnet like we have never seen before. My security provider, Sucuri, (affiliate link) says the number of attacks has increased by almost 300% in just a few weeks.

(UPDATE) This free online tool from Sucuri, will check if your blog has been attacked. It also shows you if you’re using the latest version of WordPress and if your site has been blacklisted. You will see your results in seconds. Simply enter the address of your blog.

WordPress botnet: What to do

As this attack seems to use brute force to cycle through usernames and passwords, I suggest you beef up your log in security, by adding a WordPress plugin. This will block anyone from accessing your site if they attempt more than a certain number of failed log ins. The plugin I use is called Limit Login Attempts and is available for free, from The WordPress Repository.

By default, WordPress allows people unlimited log in attempts. This means botnets can target your website / blog with hundreds or thousands of different user name and password combinations. By limiting log in attempts to just a handful, you make it significantly harder for this type of attack to happen. (Update) Whilst this may help and is a good idea against general attacks, WordPress founder Matt Mullenweg has suggested that ‘log in throttling’ plugins may not be of much help with this specific attack.

Change your WordPress username from admin

I also suggest you change your WordPress user name from ‘admin’. Admin is the default WordPress user name and sites using it are massively easier to break into, because only the password needs to be hacked.

If you’re not sure how to change your WordPress username, there is a step by step guide here. You can also go to YouTube and search for: ‘Change WordPress username’. There are lots of videos showing exactly what you need to do. It’s very simple, takes just a little time and improves your security significantly.

Update your WordPress software and plugins

It’s important to make sure you’re running the most recent version of WordPress. New versions of WordPress often contain security updates, which will protect you from attacks that target older versions of the software. Before you update WordPress, it’s a good idea to back up your data first.

Make sure your plugins are up to date too. Out of date software is easier to hack and newer versions often provide additional security, which patches holes found in older versions.

Update your WordPress blog themes

If you use a blog theme, make sure that it’s up to date. It’s also important to either update or delete OLD blog themes, as these inactive themes can still be used to get into a site. Before updating your blog theme, remember to back up your data first.

These are just some of the things you can do, for free, which will make your site safer. With such an increase in WordPress botnet attacks right now, it makes sense to take some time as soon as you can, to improve your security.

News regarding this attack

VentureBeat: WordPress admin accounts target of botnet attacks.

TechCrunch: Hackers Point Large Botnet At WordPress Sites.

The Verge: Massive botnet using brute force attack to target WordPress sites.

UPDATE: WordPress founder Matt Mullenweg released some advice from his blog:

Here’s what I would recommend: If you still use “admin” as a username on your blog, change it, use a strong password, if you’re on WP.com turn on two-factor authentication, and of course make sure you’re up-to-date on the latest version of WordPress. Do this and you’ll be ahead of 99% of sites out there and probably never have a problem. Most other advice isn’t great — supposedly this botnet has over 90,000 IP addresses, so an IP limiting or login throttling plugin isn’t going to be great (they could try from a different IP a second for 24 hours).

About Jim Connolly: I help small business owners grow their business, make more sales and boost their profits. To see how I can help you and your business, read this.

27 Comments

  1. I saw something about this earlier today but didn’t understand a word of it (Im not a geek)

    Thanks for explaining it in English and giving some tips on how to avoid beinig a victim.

    Len

  2. Hi Jim,

    Thanks for the tips…I’ve just ran my site through the free Securi tool and thankfully everything is fine at the moment.

    I’m about to go an install ‘Limit Login Attempts’ on my blog, without you I would never have heard of this plug-in.

    I really hate the idea of being hacked, and it’s a shame hackers can’t be savaged by a pack of guard dogs!

    Mel

    • Hi Mel. Happy to be assistance, sir. This blog was hacked once, and it is a horrible experience. That’s how I met Sucuri – they resolved the issue in a few hours.

      Thanks for the feedback.

  3. Hi Jim, unfortunately your advice to use the Login Lockdown plugin isn’t exactly effective for a brute force attack by a giant bot net. And while I love and use Sucuri, throwing out your affiliate link there gives your readers a false sense of security.

    A botnet consisting of 100,000 computers will attack your site from a wide range of IPs rendering the login limits ineffective. And the attacks are aimed at getting access to your WordPress admin, something that the Sucuri scanner wouldn’t be able to detect.

    Here’s what Matt Mullenweg (yes the creator of WordPress had to say):
    http://ma.tt/2013/04/passwords-and-brute-force/

    Here’s what I would recommend: If you still use “admin” as a username on your blog, change it, use a strong password, if you’re on WP.com turn on two-factor authentication, and of course make sure you’re up-to-date on the latest version of WordPress. Do this and you’ll be ahead of 99% of sites out there and probably never have a problem. Most other advice isn’t great — supposedly this botnet has over 90,000 IP addresses, so an IP limiting or login throttling plugin isn’t going to be great (they could try from a different IP a second for 24 hours).

    • Hi David. I’m adding Matt’s advice to the post shortly. Thus far, every security expert quoted has advocated the use of stronger log in protection. Odd that you seem to advocate leaving it open? No it’s not a silver bullet, but it helps. The Sucuri link is useful to non-geeks, who may not know if their WordPress install is up to date and if they are blacklisted. It does this for free. This isn’t a tech blog and thus I offered general help.

      Other than agreeing with the advice I gave about changing your username from ‘admin’ and quoting yesterday’s post by Matt, do you have any suggestions which might help my readers?

      If so, I’d love you to share them here, David.

      Thanks for the feedback.

  4. Jim, the advice you gave is correct.

    Techcunch (experts) also say to use plugin that limits multi attempts from sale ip address http://techcrunch.com/2013/04/12/hackers-point-large-botnet-at-wordpress-sites-to-steal-admin-passwords-and-gain-server-access/

    As these are all from different bots, each one still only gets 1 or 2 goes.

    That should help a lot.

    • Hi Andre. That was my understanding too and the same advice is given from many other tech blogs.

      I believe the key though, is to have a VERY strong password and unique username.

  5. Hey Jim,

    I’ve worked in web development since 1998 and your advise and the advice from the tech blogs is sound.

    *By limiting 1 bot or 1 million bots from more than 2 login attempts, you make it extremely difficult to get into the site. To say otherwise makes no sense.*

    There’s a back-story here…
    Matt Mullenweg is known for being hostile to anyone suggesting wordpress is a security hazard, without additional software. This attack is focused on wordpress and is working, only because it’s so easy to hack, without additional software to strengthen it. Mullenweg hates that we need plug-ins to protect ourselves and this huge exploit is an embarrasment to him. That’s why he made that statement, saying all you need is a strong password, which is transparently wrong. WordPress needs strengthening and that’s why so many login limiting plug-ins exist.

    Mullenweg’s line is what that guy in your comments was repeating earlier. When combined with a strong username and password, login limiting software makes any blog a lot more secure. By kicking a bot out after 2 failed attempts, you make your site thousands of times harder to those with a strong password and their fingers crossed.

    Been lurking as a reader for a while, but couldn’t let that BS go uncorrected.

    Dr. Keith

    • Hi, Keith. I have no idea about back stories and unlike you, I am not a software guy.

      However, if a plugin can block an ip address from more than a few attempts at logging into a blog, it seems odd to say it’s no help.

      Thanks for sharing your thoughts.

    • Dr Keith is totally right.

      Matt Mullenweg hates that WordPress needs outside plugins for security. I totally get that, but by saying that all we need is strong usernames and passwords, he’s leaving unsophisticated users vulnerable to basic attacks.

      Thanks for allowing some balanced debate here.

      • Hi, Alan. Interesting. As I mentioned previously in these comments, I wasn’t aware of any issue with Matt and WordPress security.

        Thanks for the heads-up.

  6. Hello Jim,

    Thanks for your advise here I am updating my blogs to make them more secure. I ran a Sucuri check and everything looks good. As you recommend in this article I will be installing Limit Login Attempts.

    I have had blogs hacked before with different things and it is not fun. It is much better to do preventive measures for sure.

    • Hi, Kirk. Glad you found the post useful, my friend.

      You’re right, it’s better to prevent than it is to clean up afterwards.

  7. Hi Jim,

    Thanks for this post. It helped me out a lot, I knew of some of the things to do already but this is very helpful. Two of my sites have been attacked twice already this month. I’m not sure if bots are getting to me or hackers, I heard they can come through the wordpress PHP scripts as well. Do you use this Sucuri service and if so what do you think of it? Always enjoy reading your blog, I’m going to save this post. Thanks, Jon

    • Hi, Jon. Yes, I am a very happy Sucuri customer and this is one of the sites they look after for me.

      That’s why I recommended them in the post, sir.

  8. This attack is really big. I mean 90.000 different IPs as sources for the crack attempts mean that there’s a criminal organization behind it running a huge botnet.

    It’s more important than ever to protect our WordPress sites, otherwise there’s the risk that they might even be turned into zombies and used for other criminal activities.

    I already had security measures in place to avoid brute force penetration but after seeing more than 20.000 attempts to login into my blog in recent days I decided that even if they failed it wouldn’t hurt having even stricter security.

    • Hi Massimo. Yes, it really is a big deal and it’s growing fast too.

      Like you say, this is time to add whatever additional security you can to your sites, to help harden it to potential attacks.

      Thanks for the feedback, my friend!

  9. Fantastic update post, just helped me find an error on a site. Glad I took the time to read this information. Only took a few seconds to check three different sites. Kudo’s…

    • Hi, Ty. Happy to help!

      Whilst that free Sucuri tool will not find everything, if it DOES see something, it’s important to act.

  10. I have a security problem of my own just now. I have the WordPress Firewall 2 installed but have today discovered that it is probably the cause of some problems I have been having (eg people being redirected to the home page rather than to where they wanted to go, it also happens when people post comments sometimes).

    I obviously do not want to leave the blog unprotected at this time and I wondering about Sucuri. Will signing up to their service be an adequate replacement for the WordPress Firewall 2 plugin do you think?

    I hope this question is not going to far off topic Jim!

    • Hi Tessa. When you sign up for Sucuri, a couple of things happen. Firstly, you get a plugin, which stops incoming ‘hits’ from any ip address, which is blacklisted as a potential threat. You also get a number of options, which you can ue to protect your site by ‘hardening’ your security. My experience has been 100% successful.

      Secondly, for 12 months, if your site does get any form of infection, Sucuri clean it up at no extra cost.

      I recall you’re a copyblogger reader and copyblogger use Sucuri to keep them safe.

      I wouldn’t consider having a commercial website without Sucuri.

      Hope that helps, Tessa.

Comments are closed.