Ars Technica – Huge attack on WordPress sites could spawn never-before-seen super botnet:
Security analysts have detected an ongoing attack that uses a huge number of computers from across the Internet to commandeer servers that run the WordPress blogging application.
The unknown people behind the highly distributed attack are using more than 90,000 IP addresses to brute-force crack administrative credentials of vulnerable WordPress systems, researchers from at least three Web hosting services reported. At least one company warned that the attackers may be in the process of building a “botnet” of infected computers that’s vastly stronger and more destructive than those available today. That’s because the servers have bandwidth connections that are typically tens, hundreds, or even thousands of times faster than botnets made of infected machines in homes and small businesses.
The attacks currently target the “admin” username and 1,000 common passwords. If you’ve got a simple or obvious password, now’s the time to change it.
If your WordPress admin account is admin you need to change that, too, and not just because of this bot network. I monitor failed login attempts, and 99% are using “admin” for the username.
I recommend the Better WP Security WordPress plugin for changing the admin username, monitoring failed logins and excessive 404s, and a whole lot more:
- Change the database prefix from the default of “wp_”.
- Disable admin logins during times when you never login.
- Hide WordPress information in source code and files such as readme.html. That makes it less likely that Google searches and script tools can discover WordPress installations or WordPress versions with specific vulnerabilities.
- Monitor file changes. I exclude directories that are supposed to have frequent file changes, like cache and backup directories:
- Temporarily or permanently ban access from IP addresses with excessive failed logins or 404s. Be careful with this setting. A search engine might hit the 404 limit when trying to access old URLs.
- Optionally enable SSL for logins, admin area, or even the front end.
Backup WordPress First
Before making the security changes, backup your WordPress install. You should be doing automated backups anyway in case of successful hacks, server problems, or human error. Better WP Security has a backup feature, but I’ve tried it on two separate WordPress installations and couldn’t get the scheduled backup feature to work.
Instead I’m using the UpdraftPlus WordPress plugin for backups. It can backup the database and files separately. You should backup the database more often than the files. The database changes every time you create or modify a page or blog post, or receive a comment. The database is relatively tiny – even with thousands of blog posts and comments mine is only 437 MB – so backing it up doesn’t take much processor time or disk space.
Updraft Plus can email you the files, FTP or SSH them to another server, or upload them to cloud storage. Amazon S3, Dropbox, and Google Drive cloud storage are currently supported. You can choose to receive an email report every time the backup runs.