WordPress blogs across the world are being attacked by brute force using a huge botnet. Several web hosting services have warned webmasters that they should secure their WordPress blogs. Hostgator claims it affect all web hosts and the brute force attack is very well organized and very distributed and over 90,000 IP addresses seem to be involved in this attack.

It is typically targeting WordPress blogs using the ‘Admin’ user and using a brute force dictionary attack to try thousands of passwords and find passwords to hack the blogs. They say blogs will have slow WordPress backend, and maybe inability to login; and will mostly attack VPS and Dedicated servers. Cloudflare claims to have pushed updates to all free and paying customers to block the signatures causing the attack.

Brute Force Attack on WordPress Blogs

The most recommended tips to avoid this attack on your site are

Change admin user – New WordPress installations by default create ‘Admin’ as the main user. Since this attack is targeting Admin users and using brute force to detect their passwords, its a good idea to change the admin user.
Strong passwords – its a good idea to make long passwords more than 8 characters, with small and capital letters, symbols, numbers etc. Here are some best practices to make a strong password.
Two-factor authentication – Wordpress.com users can turn on two-factor authentication, to further protect their blog. Though it may seem a little more time consuming, it is worth it.
Security WordPress plugins – some of the commonly referred plugins to protect your site are WordFence (includes firewall, virus scanning), and Limit Login Attempts (Limits rate of login attempts)
Upgrade WordPress – Ensure you have upgraded to the latest version of WordPress. Its just a click away now with super quick upgrades.

Have you secured your WordPress blog. It could be your blog next.