We wrote 1.5 months ago in the article Botnet attack on WordPress about the ongoing distributed attack on the WordPress platform.
WordPress has a default administrator called “admin” which can be changed to any user upon installation. According to various sources, the attack guesses up to 1000 most commonly-used passwords (see here examples).
Now, we see that the attackers have added more intelligent checks in their attempts to gain access to the blog. They are now parsing the blogs, extract the user names who posted something and then try to guess the passwords of these users.
A very interesting fact is that these intelligent attacks come from only a few domains in this moment. The most used are hostnoc.net, 163data.com.cn.
All the other attempts to access the default “admin” account continue, and even from the domains mentioned above still come a lot of requests with the default account.
There are some easy ways to prevent an attacker to gain access to your blog.
1. Set a strong password: this the most basic measure which should be used in combination with any other method.
2. Rename the administrative account: On a new install you can simply create a new Administrative account and delete the default
admin account. On an existing WordPress install you may rename the existing account in the MySQL command-line client with a command like
UPDATE wp_users SET user_login = 'newuser' WHERE user_login = 'admin';, or by using a MySQL frontend like phpMyAdmin.
3. Change the table_prefix: Many published WordPress-specific SQL-injection attacks make the assumption that the table_prefix is
wp_, the default. Changing this can block at least some SQL injection attacks.
4. Install a security plugin like Wordfence: Make sure you configure it to block the IPs which have failed login attempts. Set the number of attempts to 1. After setting up the plugin, you will see emails like this:
WordPress.org has published a page where various methods of hardening WordPress are described. However, they are extremely complex and should not be attempted by non experienced users. If you have any doubts about the security of your WordPress.com installation, contact your ISP that hosts the blog.
Leave a reply