WordPress, one of the largest blogging platforms on the planet, is under an ongoing brute force attack. It began Friday, April 12, and hasn’t ceased; every one of its users is potentially at risk.
WordPress is by far the largest blogging platform on Earth and, in terms of migrations from other platforms, the fastest-growing. According to WordPress itself, there are more than 64 million WordPress sites.
What the heck is going on? How do you protect yourself and your blog, assuming you’re one of those millions of users at risk?
Matt Mullenweg, founder of WordPress, had this to say on his blog: “Right now there’s a botnet going around all of the WordPresses it can find trying to login with the ‘admin’ username and a bunch of common passwords, and it has turned into a news story (especially from companies that sell ‘solutions’ to the problem).”
The botnet, or a huge network of hijacked computers, is seeking out and hammering WordPress blogs, trying to crack their passwords. It is concentrating on those with obvious usernames like “admin,” which is the default username for WordPress installs. If you picked a different username at install, you’re likely just fine.
For everyone else, however, it’s time to change your username. The botnet simply hammers your site with a list of possible passwords until it finds the right one, and unless your password is partly written in Sumerian characters or something, it’s reasonable to assume it can be cracked.
So what can you do to protect yourself? It’s easy, assuming you haven’t been cracked already. Mullenweg recommends, “If you still use ‘admin’ as a username on your blog, change it, use a strong password, if you’re on WP.com turn on two-factor authentication, and of course make sure you’re up-to-date on the latest version of WordPress. Do this and you’ll be ahead of 99% of sites out there and probably never have a problem.”
While you’re at it, it never hurts to change your password and change the password on the email account that you use to administer the blog, as gaining email access and then hitting “forgot my password” is another common way sites are hijacked.
The two-factor authentication referred to by Mullenweg includes another layer of security: It means that not only must the person trying to access your blog know your username and password, but they must also physically have your mobile device as well. Two-factor authentication is built into WordPress.com blogs as an option and available through multiple plugins on WordPress.org.
Lynda.com staff author and WordPress developer Morten Rand-Hendrikson suggests that some of the fault for the attack lies with WordPress itself, for making “admin” the default username. In an email conversation with the Daily Dot, he elaborated on the remarks on his Lynda.com blog. “Brute force attacks go for the ‘admin’ username first, but it’s not the only one. They also usually try ‘test’ and ‘administrator’ and other typical names. My point is that eliminating these makes blanket brute force attacks much harder to execute.” He’s created a YouTube video to guide people through the relatively easy process of changing the username.
While Mullenweg downplays the threat, saying that people can simply change usernames, developer Chris Rudzki (who works for WordPress’s parent company, Automattic) has already written a patch to the core code which eliminates standard usernames, forcing people to choose a unique name on installation.
The short version: Change your username to something long, change your password, change your email password, enable two-step authentication. And don’t say we never did nuthin’ for ya.
Photo by Danny Robinson/Flickr