Over the last few weeks this site has been subjected to a brute force attack. I took it as a complement since it is the second hack attempt this year, the first being successful. My site must be in high demand. The botnet is using the login name “admin” and then trying to guess the password. So essentially this an attack targeted at people that install the WordPress system and leave everything on the default settings (my login is admin1, of course). It seemed fairly harmless as I was only getting about 5 attempts an hour in short bursts. Even if I had a user with the name admin, at that rate the password would never be guessed.
Earlier this week the login attempts started accelerating and I decided to look into this a little more. Turns out this is a actually a massive attack on all WordPress sites across the internet. You can get the details from Ars here. Not being targetted specifically is a bit of a relief but kind of a let down as well; I guess the site is not in that high demand after all.
So if you are running a site/blog using the WordPress system then you need to login and make sure that you do not have an account named admin. For now it seems that unless you are in control of your hosting server then the best bet is to wait. Not the most reassuring advice. Installing an IP logger on your login page will give you an idea of the size of the attack but installing any of the more server hungry PHP-based login security plug-ins is probably not a good idea at moment unless you know what you are doing. And really, if you have your admin account set to “admin” then you really do not know what you are doing. If configured incorrectly, some login security plug-ins will cause your server to crash under such a larger number of requests. If you do insist on using admin as your login name then at least follow XKCD’s advice on passwords.