Server hosters Cloudflare and Hostgator announced WordPress websites have been hit by a super botnet attack for the past few days, as over the weekend the number of impacted websites reached the order of “tens of thousands”. Is your WordPress website at risk?
Earlier this year, like many other online companies, WordPress enhanced its security protocol, by introducing an optional two-step authentication for log-in. The beefed authentication method involves using a personalized secret number that WordPress allocates each user along with username and password. Shortly after that, almost a million WordPress websites have been hit by what some have called a “super botnet”.
“As I type these words, there is an on-going and highly-distributed, global attack on WordPress installations across virtually every web host in existence” reads a blog post by HostGator’s Sean Valant. “This attack is well organized and again very, very distributed; we have seen over 90,000 IP addresses involved in this attack” the post also read. Daniel Cid, chief technology officer at Sucuri Security, also took note of the massive botnet attack on WordPress and noted that the number of such “brute force attacks” has almost tripled since the previous month.
A botnet is a network of hijacked desktops that can be used to power-boost an upcoming attack. In 2012, it was a botnet that was responsible for the temporary crash of some of the most popular financial institutions in the US, and according to online security experts, it looks like the WordPress botnet attack is a preparation for something much-much bigger.
“One of the concerns of an attack like this is that the attacker is using a relatively weak botnet of home PCs in order to build a much larger botnet of beefy servers in preparation for a future attack” reads a blog post by CloudFlare’s CEO Matthew Price. “These larger machines can cause much more damage in DDoS attacks because the servers have large network connections and are capable of generating significant amounts of traffic” the CEO added.
To protect your WordPress website against a botnet attack, WordPress founder Matt Mullenweg recommends you change the “admin” user (if you still use that) and come up with a strong password. “Most other advice isn’t great – supposedly this botnet has more than 90,000 IP addresses, so an IP-limiting or login-throttling plugin isn’t going to be great (they could try from a different IP a second for 24 hours” Mullenweg added.