A widespread attack is going on around the internet, looking for and compromising WordPress based websites. The attack method is fairly unsophisticated, but is quite powerful because of its breadth. Protecting your site against this attack is not particularly difficult, although that might change if it becomes more sophisticated.
The method of attack attempts to log in to WordPress using the username “admin”. The machines doing this assume that the username “admin” exists and then perform a “dictionary attack” which just means trying all sorts of passwords from a very large index of possible passwords until it finds one that works. The dictionary here is not the actual dictionary, but a metaphorical one that includes all real words, plus many variations and combinations with numbers and symbols thrown in as well. Dictionary attacks are very basic, but also very effective and they are the reason it is so important to use good, strong passwords.
Once a person is able to log into WordPress as an administrator they have full powers and privileges and can use the machine that hosts your website do pretty much anything they want it to do, such as to turn around and attack someone else’s machine. One thing that is known about these attacks is that they come from over 90,000 ip addresses which could mean they have compromised that many websites.
So what’s the solution?
The first and most basic as mentioned above is to use a strong password. You already know this, but let’s be honest, we all use simple passwords from time to time out of convenience. Your website is not a good place to be lazy in this way.
Second, you should not have a username called “admin” on your system. If you do, create a new admin account with a different, less obvious username and delete the admin user. Old installations of WordPress used to require a username of “admin”, but this was changed long ago by WordPress 3.0, and there is no excuse to still have this account.
Third, you should not post from an admin account. If an attacker knows the username of an admin, they already have half the information they need to get control of your website.
Finally, the most secure way to protect your website is a little more advanced. You can lock-down your admin tools, your WordPress back end, so that it is only available to a computer accessing it from your network. You do this by editing (or creating if necessary) a file called .htaccess in your /wordpress/wp-admin folder (not the root folder!). It’s just a simple plain text file, add the following:
deny from all
allow from xx.xx.xx.xx
Only where you see the xx.xx.xx.xx you need to put in your ip address. The easiest way to get your ip address is to ask google “what is my ip address“. Keep in mind your ip address may change some day and you will be locked out of your WordPress backend until you update your .htaccess file. There are some additional inconveniences to using this method since you will also have to add the ip address of any other networks you may want to access your site from, but it is definitely a security-wise thing to do. We’ve employed this method to my wife’s blog, indiaphile.info, which she is not happy about because she likes to check her stats on her cell phone from time to time, but it is far more convenient than being hacked.
Once you have made this change, I would suggest trying to access your website from a computer not on your home network. One way is to turn off WiFi on your cell phone and then try to access your website, or call a friend and have them try from somewhere else, just to make sure you didn’t block the world from your whole website. If you did block the world, this usually means you edited the .htaccess in the root folder rather than /wp-admin.