Slashdot Mirror

← Back to Stories (view on slashdot.org)

Wordpress Sites Under Wide-Scale Brute Force Attack

Posted by Soulskill on from the pressing-all-the-words dept.

New submitter NitzJaaron writes "Some of us have been experiencing attacks on Wordpress sites for the last few days, but it's now beginning to be widely reported that there's a fairly large brute force attack happening on Wordpress users on multiple hosts, including HostGator and LiquidWeb. 'This attack is well organized and again very, very distributed; we have seen over 90,000 IP addresses involved in this attack.' CloudFlare has announced that they're giving all users (free and paid) protection from said attacks with their services. 'The attacker is brute force attacking the WordPress administrative portals, using the username "admin" and trying thousands of passwords.'" Further reports available from Immotion hosting and Melbourne server hosting.

4 of 110 comments (clear)

  1. Seems like..... by n3tm0nk · · Score: 3, Insightful

    something they should have been prepared for in the first place......

  2. limit login attempts by interkin3tic · · Score: 5, Insightful

    advising all our clients who use WordPress to install an additional plugin 'Limit Login Attempts' that will help to prevent brute force attacks

    Not being familiar with wordpress, I'll ask why isn't that on by default?

    1. Re:limit login attempts by preaction · · Score: 5, Insightful

      Because it increases the number of support requests dramatically.

    2. Re:limit login attempts by sabt-pestnu · · Score: 3, Insightful

      >>advising all our clients who use WordPress to install an additional plugin 'Limit Login Attempts' that will help to prevent brute force attacks

      > Not being familiar with wordpress, I'll ask why isn't that on by default?

      What could be a simpler way to deny an administrator access to his own account than by a "limit login attempts" that limits attempts on a per-account basis (vs a per-IP address basis)?

      And if the attack is "one attempt per site per zombie", limiting on a per-IP basis has no teeth.

      <ignorant_speculation>Of course, if you have created an admin account that's not NAMED admin, you won't be locked out. And if you change the account named "admin" to having lower privileges, even better.</ignorant_speculation>