WordPress hacking, botnets and brute-force attacks

malwareThese past few days has seen some alarming news about CMS sites being attacked by botnets. Targeting WordPress and Joomla, these bots are simply trying to access your backend with different combinations of usernames and passwords. Various articles have been written about this and below is a roundup of what can be done to keep your WordPress site safe.

Do not use “admin” as your username: Matt points out that since WordPress 3.0 allows you to pick a custom username on installation, to replace the default “admin”. Hackers and bots will attack your site using admin as the username, so if you are using this, please change it right away.

Use a strong password: Jon Jennings was curious about these botnets and so hacked his core file to record what passwords they were attempting to login with. The results are interesting.

  • many of the passwords are dictionary words
  • many include a digit or two at the end – but it’s usually “1″ or “12″
  • many are apparently random strings of digits that make sense on a qwerty keyboard eg qwerty, 895623, qweasdzxc
  • many are names or places eg nebraska, neal, Brittany, sonia
  • some are geeky eg ncc1701d, r2d2c3po
  • there’s clearly a distributed botnet at work here. I’ve noticed sequences of dictionary words in alphabetic sequence – but coming from wildly different IP addresses / locations eg I spotted visual, vivian, vivid, vivitron, vixen (actually a sequence of over 40 “vi” words that’s still continuing) with each attempt coming from a different IP address

So be smart and use a strong password.

Use security plugins: This latest instance of attack were reported to be coming from botnets which use different IP addresses, so using a plugin like Limit Login Attempts probably won’t do much, but will stop a hacker. You could password protect the entire wp-admin folder which is what the folks at Retrix.com did for all of their client in order to avoid disaster.

Add protection to your .htaccess file: Mika suggests that most security plugins might be too late in the game and thus not able to do much against this latest attack. Instead she suggests adding a script to your .htaccess file which also works against spam which is nice.

Of course, it goes without saying that your normal WordPress maintenance routine should be kept up to date. Update WordPress when a new version comes out and update your theme and plugins. Equally as important but perhaps not obvious, is to delete inactive themes and plugins. As recent post by WP Beginner points out that back doors are often found in these.

One comment:

  1. As WordPress founder Matt states, choosing a strong password and ensuring that you have most recent version of WordPress is an sufficient protection. The botnet is essentially guessing account details, so if you have something which is just not guessable you’ll be safe.

Comments are Closed.