WordPress, the popular content management system behind many blogs and business websites, has been hit by a major hacker attack.
While many turn to WordPress because it’s easy to use, it turns out the application might be a little too easy for hackers to target, too.
Whoever is behind the attack is using an estimated 90,000 IP addresses “to brute-force crack administrative credentials of vulnerable WordPress systems,” writes Arstechnica. There is also concern that the hackers are trying to create a “botnet,” using a network of home computers to target more powerful servers, which could then cause more damage.
Those servers could, potentially, be used in larger denial-of-service attacks, where a high volume of traffic causes a site to crash. “This is a similar tactic that was used to build the so-called itsoknoproblembro/Brobot botnet which, in the Fall of 2012, was behind the large attacks on US financial institutions,” writes CloudFlare, an online security company. CloudFlare has already created a patch that prevents the attacks.
Reports say that sites hosted on Joomla are also under attack.
Since the attack uses thousands of different IP addresses, plugins that limit repeated login attempts from a single IP address aren’t that useful.
Instead, the steps for users to protect themselves are fairly straightforward:
- Change your username if it’s something common. The hackers try common usernames — “admin,” “test,” “administrator,” “Admin,” and “root” are the top five, reports PCmag.com — and then try thousands of passwords. “If you still use “admin” as a username on your blog, change it,” WordPress creator Matt Mullenweg writes on his blog.
- Select a stronger password. WordPress has some suggestions on how to do that and this password generator can help you choose a new one.
- Consider the two-step authentication process that Wordpress launched earlier this month. The process requires users to download an app to their smartphone, which will generate a random number needed to access a WordPress account, in addition to the usual password. The service also allows for backup codes to file away, just in case a smartphone is lost, stolen, or dropped into the toilet.