Slashdot Mirror
Wordpress Sites Under Wide-Scale Brute Force Attack
New submitter NitzJaaron writes "Some of us have been experiencing attacks on Wordpress sites for the last few days, but it's now beginning to be widely reported that there's a fairly large brute force attack happening on Wordpress users on multiple hosts, including HostGator and LiquidWeb. 'This attack is well organized and again very, very distributed; we have seen over 90,000 IP addresses involved in this attack.' CloudFlare has announced that they're giving all users (free and paid) protection from said attacks with their services. 'The attacker is brute force attacking the WordPress administrative portals, using the username "admin" and trying thousands of passwords.'"
Further reports available from Immotion hosting and Melbourne server hosting.
advising all our clients who use WordPress to install an additional plugin 'Limit Login Attempts' that will help to prevent brute force attacks
Not being familiar with wordpress, I'll ask why isn't that on by default?
Yet another reason to specify a non-default administrator username in the original install. And to use passphrases instead of passwords. Easier to remember, and there's almost no way to brute force a thirty character password.
Bits of code, random ramblings: jakimfett.com
That's why I changed mine from username 'admin' with a blank password to password 'admin' with a blank username. They'll never guess that one!
The Quirkz Handbook of Self-Improvement for People Who Are Already Pretty Okay
No, the wp-admin folder is rather hard coded.