This post is not, strictly speaking, a genealogy related article. However, since many genealogists are also bloggers, and since WordPress is often their platform of choice, I’m hoping that this post will help get the word out there to all my fellow bloggers that they need to do an immediate security review of their WordPress installations and passwords.
On Wednesday morning, when I tried to log in to my WordPress dashboard, all I could see was a text only mode and was unable to access any of the functionality. I created a support ticket with my host and was notified that they were aware of the issue and were working to resolve it. By Wednesday night, full functionality on my blog had been restored and I didn’t think any more of it.
This morning, I received an email broadcast from my host with the subject “Important Information about Protecting Your WordPress Site”. It went on to explain:
On Tuesday, a widespread “brute force” attack against WordPress started impacting sites across the internet. This attack is leveraging a botnet, which looks to have more than one hundred thousand different computers at its disposal. Its intent is very simple: to find and compromise WordPress sites with simple passwords, likely to use them later to distribute malware (and further increase the size of the botnet).
To combat the attack, my host began to drop all traffic directed at their WordPress login pages, which explains why I could not log in to my own dashboard. They then tried a simple approach of blocking the IP address of any computer that had more than a handful of failed log in attempts. But the attacks continued.
By this point, between ourselves and our partners, we were approaching having flagged nearly that hundred thousand IP addresses, and more new IP addresses were showing up every second. Even though we were stopping much of the attack, it was so large that simply handling the traffic was starting to impact our servers.
Eventually, they determined a difference in the way that the attackers accessed the login page and the way that legitimate users access the login page and were able to put security in place to drop only the attack traffic. They assure me that “We head into the weekend in good shape”.
Doing a little research on this botnet attack, I found the following message from WordPress creator Matt Mullenweg that was published on The Next Web yesterday:
Almost 3 years ago we released a version of WordPress (3.0) that allowed you to pick a custom username on installation, which largely ended people using “admin” as their default username. Right now there’s a botnet going around all of the WordPresses it can find trying to login with the “admin” username and a bunch of common passwords, and it has turned into a news story (especially from companies that sell “solutions” to the problem).
Here’s what I would recommend: If you still use “admin” as a username on your blog, change it, use a strong password, if you’re on WP.com turn on two-factor authentication, and of course make sure you’re up-to-date on the latest version of WordPress. Do this and you’ll be ahead of 99% of sites out there and probably never have a problem. Most other advice isn’t great — supposedly this botnet has over 90,000 IP addresses, so an IP limiting or login throttling plugin isn’t going to be great (they could try from a different IP a second for 24 hours).
In addition to following Matt Mullenweg’s suggestions regarding usernames and passwords, if you have a self hosted WordPress blog, now is probably a good time to upgrade to the latest version of WordPress which is 3.5.1. As well, it’s always a good idea to review any plugins that you have installed and to uninstall those that are no longer in use and to upgrade any required plugins to the latest release.
And finally, if you are not doing a regular backup of your WordPress blog, you should check out the various plugins available to do this important task.