A huge worldwide brute force attack is hitting WordPress sites. The attack appears to be using a large botnet of infected PCs and servers in an attempt to break into the administration area of WordPress sites. The attacks involve a wide range of over 90,000 IP addresses from all over the planet, which points to a large numbers infected PCs and servers.
The goal of the attack is still not clear, but once an administrator password is discovered, a hacker can add or delete pages and posts, modify content, add links to other sites in the site’s content, and can literally do anything that a WordPress administrator can do.
The key to identifying the attack is the fact that the bots are trying to discover the password for administrators set up under the username “admin”. That used to be the default administrator username whenever WordPress was installed, but for the last several years WordPress has allowed the default username to be changed during installation. No one should ever have a WordPress site with an administrator named “admin”. That alone gives a hacker half of what they need to know to break into a site’s administration area.
We have seen a few WordPress sites where we found the sysadmin@wordpress.org user account was set up. Each of these sites did use the ‘admin’ username for an administrator login, which may be the goal of the hack attempts. Many site owners incorrectly assume that WordPress installed this login. Neither WordPress nor any legitimate plugin will =ever install an entryway into the administration area.
How To Prevent This Brute Force Attack
First, never use an administrator named “admin”. If your site has this user account set up, log into the site, set up a new username and give that name full administrator rights. They log in using the new name and delete the admin account. While you are doing that, make sure that you check the correct box to assign all posts assigned to the admin account to another username. Do this carefully or you could accidentally delete all of the posts assigned to the deleted user.
Second, always make sure that you use very secure passwords. Simple, easy to remember passwords are also easy for automated bots to figure out. Read this article to learn how to set up a secure password.
Third, install a plugin that limits the number of failed login attempts. We use Limit Login Attempts and find that it works very well. This plugin will lock out any hacker after a pre-defined number of failed login attempts.
The worst part of this problem is there is nothing built into WordPress that prevents any hacker from repeatedly attempting to log into the admin area. A bot could literally try thousands of times using different password combinations until it discovers the correct password. Using the Limit Login Attempts plugin will help to prevent hackers from taking control of your WordPress site.