Our readers here at WPHub.com are among the most active in the WordPress community and often share news with fellow members via online forums and their own websites. Over the last few weeks, one of the major topics that has frequently arisen has been the ongoing Botnet attacks that are exploiting vulnerabilities derived from an earlier WordPress release (Version 3.0) which allowed individuals and companies to create a custom user name. This has resulted in a brute force attack on the security of many websites as the botnet owner attempts to use the default “admin” user name in conjunction with common passwords to hack into websites and cause havoc.
A blog post last month published by WordPress co-creator and Automattic CEO Matt Mullenweg (pictured) highlights the existing security risk as well as outlining a simple process that will stave off many if not all of the attacks. “Almost 3 years ago we released a version of WordPress (3.0) that allowed you to pick a custom username on installation, which largely ended people using ‘admin’ as their default username,” writes Mullenweg. “Right now there’s a botnet going around all of the WordPresses it can find trying to login with the “admin” username and a bunch of common passwords, and it has turned into a news story (especially from companies that sell “solutions” to the problem).
Here’s what I would recommend: If you still use ‘admin’ as a username on your blog, change it, use a strong password, if you’re on WP.com turn on two-factor authentication, and of course make sure you’re up-to-date on the latest version of WordPress. Do this and you’ll be ahead of 99% of sites out there and probably never have a problem. Most other advice isn’t great — supposedly this botnet has over 90,000 IP addresses, so an IP limiting or login throttling plugin isn’t going to be great (they could try from a different IP a second for 24 hours).”
Brute Force Attacks
The concept of hacking into one’s account by using a known user name along with common passwords is not new. In fact, these attacks have targeted users of the AIM instant messaging service, Facebook, email accounts and other software application for years. In some cases, the user’s login name may already be public information; making the need for a strong password that much more important. In the past, hackers have implemented a strategy which entails requesting a password change to a service once an email hack has been established, or gathering as much sensitive data on the victim beforehand and then simply going through the “security process” (which sometimes only requires a correct answer to one commonly-asked question to circumvent) in order to have a new password sent directly to them.
In some cases, a hacker may request a new password on behalf of the victim and be required to answer a general query such as, “What year were you born?” – and it doesn’t take a genius to realize that questions such as What is your favorite basketball team? and others could be quickly guessed with little effort; resulting in devastating chaos in some instances.
Generally speaking, victims have adapted to this by simply inserting a number of symbols and other less frequently used keyboard characters within their password and security question answers in order to fend off the most common form of attacks. Another tactic used by those who share room or office space with others is to create an encrypted NotePad document for sensitive data in case a laptop or handheld device is stolen or temporarily compromised.
All in all, hackers generally look for the weakest links when it comes to security and attempt to exploit them. Updating your information and remaining vigilant can be one of the most prudent ways to protect yourself from attack.