There is a “brute-force” botnet attack on-going against self-hosted WordPress sites. They are using programs they have installed on other compromised blogs (that’s the botnet) which logs in to your blog’s “admin” account over and over again thousands of times using a different password each time, hoping to find one that works. If they succeed, then they will install a backdoor so they can use your blog to attack other sites. Security firms are speculating that the WordPress attacks are being used to build a bigger botnet “force” which can later be used for a more massive attack on someone – or some thing – else.
My site has been very slow and even inaccessible several times in the last week which probably has to do with this attack. Although I can’t stop them from attacking my blogs, I can take steps to prevent them from taking them over. You can do the same.
First, I don’t use the default “admin” name for my blog’s administrator account. That way an attacker needs to figure out my account name as well as my password. If you are using the default, then create another user account with a name that does NOT identify it as an administrator (something like BobJones, maybe), set the Role for this account to Administrator and make sure this account has a very strong password (a minimum of 8 characters combining upper- and lower-case alphabetic characters with numbers and special characters). Now, log out and log in again with the new account. In the Users section, edit the old admin user and change its Role to Subscriber. While you’re at it, update the password to something hard to crack. That way, if someone should hack into the admin account, all they can do is look at its profile.
Regardless of what your blog’s administrator account is named, you should always have a strong password assigned to it. Even accounts with lesser roles should have strong passwords and everyone’s passwords should be changed regularly. WordPress.com has some very good recommendations for effective passwords.
Don’t allow your blog to become a botnet used to attack others. Take steps now to protect your blog and the content you’ve created.