If you keep up to speed with the latest WordPress news you will already know that the world’s favorite content management system was recently hit with a botnet of “tens of thousands” of computers, according to ZDNet. There is one simple step you can take to mitigate your risk.
WordPress sites have been under attack from a botnet
Some experts are suggesting that the worst is yet to come. CloudFlare has said that in the latest round from these botnet‘s that it fends off 60m requests in 1 hour. So let’s take just a second to consider the most simple step you can take to prevent your WordPress site from becoming victim to these attacks and improve the security of your WordPress site. The requests appear to be coming from a sophisticated botnet that may be comprised of as many as 100,000 computers, based on the number of unique IP addresses the attacks are coming from. CloudFlare estimates the botnet has the power to test as many as 2 billion password in an hour.
What’s going on with these attacks on WordPress sites?
Matt Mullenweg recently made a post on his personal blog and attempted to play down the sensationalist aspect of the botnet story.
Right now there’s a botnet going around all of the WordPresses it can find trying to login with the “admin” username and a bunch of common passwords, and it has turned into a news story (especially from companies that sell “solutions” to the problem).
The simple 1 step solution to securing your site
Given that the botnet appears to be targeting administrative accounts by using a dictionary attack you should immediately remove the default ‘admin’ account that ships out of the box with each WordPress installation. This one simple change could step the botnet from affecting your site.
Of course… ensuring whatever account you’re using as the admin account on your WordPress installation is using a decent password is a positive second step that you can take as well. Setting a random password is likely to repel any brute force dictionary attack attempts at accessing your site. Randomized passwords aren’t uncrackable… but they are a strong deterrent in situations like this and can help protect your password from predators.
I always recommend LastPass as it simplifies keeping your passwords random, different for each site, and yet always available and simple to use. LastPass Sentry even monitors your accounts for security breaches for free! In addition to LastPass you should use Google Authenticator (which works with LastPass) and use two-step authentication. You should use it because 2-step verification can significantly reduce the chances of having the personal information in your Google account stolen by someone else.