Over the past couple of
The “brute-force” attack is on-going and many hosting providers are having to put measures in place to mitigate any potential breaches.
What is a brute-force attack?
A brute-force attack is simply a method of repeatedly trying to guess username and password combinations.
You may think that this is a fruitless attempt, but it’s really not.
People are lazy when it comes to passwords.
I’ve worked professionally in IT for over 20 years now and I can tell you that some CIOs of companies I’ve worked with have had “password” as their password to their Windows account.
I remember having a conversation with one very senior board member of a multi-national financial services company, about his unforgivable poor choice of password.
He told me I was out of place for commenting on such matters, after
I suspended his account under the same policy we would use for any other employees not taking security seriously and
If you’ve had a chuckle about that, stop and have a think through all the passwords you use on the Internet.
How secure are they and when was the last time you changed them?
Bot-nets are vast numbers of computers that have been compromised (hacked and taken control of) and that are used to coordinate huge attacks on other systems.
The current estimates for the
Combine 90,000 computers trying to guess hundreds of password combination every minute and you can see why we need to take this attack seriously.
Many computers users still don’t have any sort of firewall software installed and it is primarily these computers that are the victims of hackers looking to add them to their
The type of software used to gain control of computers is very sophisticated and most of the time users will be completely unaware that their computer has been compromised and is being used in such a way.
A good firewall that is kept up-to-date must be your first
Why are WordPress websites being targeted?
It’s not only WordPress websites under attack. Joomla! sites have also reported an increase in attempted breaches.
WordPress powers over 17% of all websites in the interwebs and Joomla! over 3%.
Each WordPress and Joomla!
Also, prior to WordPress 3.x (and Joomla!
It’s no surprise that these are the top username choices that the brute-force attack is using – according to the report by security firm
Who is doing this and why?
None of the infamous hacking groups have put their hand up as being responsible for the WordPress website attacks as yet.
At this moment we simply do not know who is coordinating the attacks nor why.
Due to the method being used and the sheer number of websites being targeting it is unlikely that the hackers are after any information on a particular website.
It’s more likely that they are after the hosting space so that they can insert hidden micro-sites and malware for use in their nefarious schemes.
What can I do to secure my WordPress website against these attacks?
The best two things you can do to protect your WordPress website from being compromised by this current attack are:
- Make sure none of your usernames are Admin, Administrator, Test or Root
- Make sure you have a large, complex, unreadable password made up of upper and lower case letters, numbers and punctuation.
WordFence comes with login limiter settings that lock out IP addresses that generate login failures after X number of attempts.
OSE Firewall doesn’t have this feature but you can install the Limit Login Attempts plugin to provide the same functionality.
There are of course lots of other ways you can secure your WordPress website against hacking and we’ll cover that in a future post.
If you are an unfortunate victim of the current attack and have had your website compromised, we offer a hacked WordPress website restoration service to get your site back up and secure.