You may have heard in mainstream media that there have recently been “attacks” against WordPress websites. These attacks have actually been going on for a while, but have significantly escalated over the last week or so.
The purpose of this post is to
- try and clarify the problem, by putting it in simple terms
- identify what impact it may have on your site
- offer some advice what you can do to try and protect your site
What is the problem ?
The simple explanation of what is happening is that many WordPress sites are being subjected to a “Brute Force Attack” to try and find valid login details. The sites affected seem primarily USA based sites, and there don’t seem to be significant issues (yet) on Australian based web servers. The coordinated attack is running from 1,000s of different PCs, in different locations and with different IP Addresses .
Essentially the attack will try to login to your website using as many username and password combinations as possible in order to find a valid login. It’s as if someone was trying to guess the combination on a combination lock, but rather than being limited to a single guess every few seconds, they could make hundreds or thousands of guesses a second while never getting tired.
Details of this attack have been widely reported (do a Google search for “WordPress Attack”)
What might the impact be on your site?
There are two threats to your sites during this attack: a threat from the login attempts and a threat if a login is successful.
Attempted Logins
Each time WordPress handles a login attempt, your server’s resources are being used. If the attack starts to send numerous login attempts a second, your site’s performance can suffer. This puts a load on the server and can impact on the performance of other sites also hosted on that server. As a worst case scenario the host provider may suspend your account. The Australian based hosting service that In a day now uses is aware of this issue and has already taken steps to minimise disruption to your website.
Successfiul Login
If the attack is able to successfully “guess” the login to your site, then your entire site and server could be compromised. If the compromised account has an Administrator role,they could add new files, modify existing files, add additional users (in case the password of the compromised user is changed), inject malware into your site, or even turn your hosting account into a spam bot to extend the capabilities of this brute force attack..
What to do about it
We have outlined below some steps you can take to minimise the risk or at least lessen the impact of this type of attack.
Good Password
As a first step, we highly recommend you log into your WordPress site/s and change the password to something that meets the security requirements specified on the WordPress website. These requirements are fairly typical of a secure password: upper and lowercase letters, at least eight characters long, and including “special” characters (^%$#&@*).
DON’T use the admin username
We always recommend that you NOT use (or even create) the default admin username.
However if your login ID is admin (or if it even exists on your site – check this by going to the Users section on your dashboard). remove the username “admin” from the site. By far, this is the biggest vulnerability that is being exploited in this attack. So, if you have a user with a username of “admin” on your site, it needs to be either removed or renamed ASAP.
The easiest way to rename the user is to replace it with a new user. This can be done in the following sequence of steps:
- Create a new user with the same role as the “admin” user. This is typically the Administrator role. You may have to use a different email address when creating this user as each user must have a unique email address.
- Log out.
- Log in as the new user.
- Delete the “admin” user.
- When asked what to do with the posts and links owned by the “admin” user, select the “Attribute all posts and links to” option, choose the new user from the drop down list, and click “Confirm Deletion”.
- Once the user is removed, you can change the new user’s email address if a different one was used to create it.
Limit Logins
We suggest that you install and activate a plugin such as Limit Login Attempts plugin as it helps protect against brute force attacks. It protects the site by blocking login attempts by a specific IP once that IP has failed too many times in a row. Note: because this particular brute force attack comes from many different IP addresses (possibly thousands) this will help but not prevent the problem entirely.
Andy Henderson, the Director and Head Trainer at In a Day, manages the day to day operations of our Brisbane (Carina) Training facility. Andy has more than 20 years experience in Search Engine Optimisation, Web Design, and in excess of 10 years WordPress website development.