WordPress NoEntryOver the past few days there has been a large attack against WordPress and Joomla websites, supposedly in an attempt to compromise the servers and build a hugely powerful botnet.

The hacking effort is using a dictionary attack to brute force the passwords of the default administrator account.

We have several recommendations owners of any content managed website should take, but especially WordPress sites as these have been the focus of the attack:

  • Passwords should be strong. Ideally that means randomly generated, 10+ characters in length and include both upper and lower case, numbers and special characters (!#@?&*^%$;+£).
  • Change the username of the administrator account so it is not the default (or other common names including, admin, administrator, root, test, wordpress).
  • Restrict the rate of login attempts. By defulat there is no limit to the number or speed with which login attempts can be made, we recommend using either mod_security or a plugin like Better WordPress Security.

If you have a WordPress Maintenance Plan with Orbits, we have already taken these steps and your site should be safe. If you’d like any help maintaining or securing your site, just drop us a line, or call us on 02920 003313.

This particular attack doesn’t seem to have targeted vulnerabilities in the WordPress software or any particular plugin, but it’s wise to keep your installation up to date as out of date systems are always a target for hackers.

More information is available at PC Magazine and some technical details at Securi.