So many of our clients have sent us articles about WordPress sites being under attack. There is a large coordinated attack currently going on. This attack is trying to take advantage of the fact that older installations of WordPress used to make the first user account on the site have the username “admin”. Combined with the fact that most people choose really weak passwords, the attack uses a “brute force” method of trying to get in. By assuming a username of “admin” the bots then repeatedly try to guess the password until it gets in.
Clients on our WordPress hosting have absolutely nothing to fear as this type of attack is exactly what the server is built to protect. One method of prevention is the limited failed login attempts our server allows. If someone tries to login and fails 3 times in a row, they are locked out for 20 minutes. When a bot hits this, it moves on to find an easier target. Our WordPress server also requires strong passwords, they are not optional like the standard installation of WordPress. In the extremely unlikely even that a client site on our WordPress hosting did get hacked, we could restore the site extremely fast because of the automated backups we have.
For our older clients who we built their site a few years ago and still have the default “admin” user account, we are going back and removing that default “admin” account. However, we do have a strong password already in place on all WordPress installations.
This attack is going to the low hanging fruit and because of how popular WordPress is there is a lot of fruit to be had. However, we don’t feel any of our client sites are at much risk with this attack and what little risk there is we are working to mitigate it.