A day ago, I bumped into a blog post from HostGator reporting a Global WordPress brute force attack.
What a lazy soul I was ?!!
I procrastinated taking precautionary measures and BAM!
I’ve seen my brand new blog being attacked and intruded. Before the attack had happened and I got to see a message – “account has been suspended for my-blog.com” when I attempted to login to the admin dashboard, I experienced a weirdly sluggish load time in my admin panel. Also, while I tried uploading a template, I was thrown a message saying “WordPress Violation” and then the site just crashed.
I got the whole thing fixed through my hosting provider. They just reinstalled the blog for me and I now set it up on Joomla.
I was very lucky coz there was no data for me to loose as it was an absolute new blog.
So my dear co-bloggers, this post is to help you make sure that you are not sailing in the same boat as I did.
I went back and re-read the post by HostGator and another by CloudFlare. They say that the attack is a large scale one, wherein the hackers are trying to use home PCs and then get access to hosting servers so as to make the WordPress Brute Force attack profoundly viral. The attackers are still anonymous and none knows when this whole WordPress attack hoopla will cease. All that is in our control is taking some precautions to dodge the attack.
Ensure that your blog is safe from the WordPress brute force attack
Change admin user name – PCMag reports that the most targeted accounts are those with the user names ‘admin’, ‘test’, ‘administrator’, and others akin to these. If you have an admin login username like any of these then the first thing to do is change it.
There are many workarounds for this like installing a WordPress plugin. But I guess the easiest way to go about it is to create a new user account, give that user the administrator rights, and then delete the vulnerable ‘admin’ user by logging into the newly created admin account.
Make a stronger password – Check if your existing password is as per the WordPress password creation guidelines. If you are not sure what the guidelines are, go to your user account and scroll down to ‘About Yourself’ section where you are given an option to set a password. Right there you can find the password guidelines by WordPress saying ‘Hint’ in italic text. While changing the password make sure that the strength indicator goes green.
Upgrade the CMS – Upgrading to the latest version of WordPress CMS can help you mitigate the risk and minimize the chances of getting your account compromised due to the so called brute force attack. It is believed that the hackers may not be fully aware of the tricks to hack the latest release.
Deploy the two way authentication feature – The two way authentication is one where you can access your account by entering a security number into the login panel. The security code will be sent to your mobile once you attempt a login. You can implement this by installing a plugin (check for it in the WordPress plugins directory) in your blog.
Use Security plugins – There are many security plugins that can come handy like WordPress Firewall 2, Limit login attempts, Sucuri WordPress Security Plugin to avoid brute force attacks. Consider activating one or more such plugins to ensure an extra layer of security for your WordPress blog.
Its high time that you be proactive in taking a quick step to prevent the Global WordPress Brute Force attack on your WordPress blog, unless you want to see yourself repent like me in no time. I was lucky for having a new blog compromised; you may not be.
Do share your ideas to improvise WordPress security if any and also, share your experience if you have been unlucky with this viral attack in the comment box below.
One of the readers suggested through comments that we must have a back-up plugin ready, just in case we happen to loose all the Blog’s data.
Thank you Naveen for the advice. I was so ignorant of this simple tip. I’m sure it added great value to all of us.
Another reader posted another nice suggestive comment. Samir advices to install a CAPTCH for the login panel. Thanks Samir.