The WordPress Bot Attack

posted in: Blog | 0

So, there’s plenty of news about the 90,000 node bot that’s currently trying to gain admin access to WordPress sites by brute-force guessing admin passwords. Since WordPress is a popular content management system used to run many blogs and websites, chances are a number of technical writers in our community are dealing or need to deal with mitigating the threat from this attack.

There are a number of things you can/should do to harden your site…the most important being to USE STRONG PASSWORDS!

I installed the Limit Login Attempts more out of curiosity. I’ve seen it recommended in a number of places, but was curious what it would do against a 90,000 node bot. Seems to me like it wouldn’t be that effective…

Still, moments after installing, I get this report:

Screen capture of IP addresses locked out of site.

Each lockout stops an IP from logging in (or trying to) for 20 minutes. After 4 lockouts, you’re banned for a much longer amount of time.

Not the best solution, but it at least shows me that I’m being targeted…

If you host a WordPress site, you really need to make sure you are using strong passwords for your admin accounts. There are also a host of other steps you can be taking to harden your site against attacks.

Please add good resources in the comments!

Plug-ins Worth Considering

  • Limit Login Attempts – Probably a useful plugin in general, but of limited utility against a botnet composed of 90,000 nodes…
  • Better WP Security – This one looks pretty solid and I see it recommended frequently, but make sure you have solid backups and have tested recovery before throwing it on an established site. …And yeah, read the manual first.

In The News

Leave a Reply