You may have seen the news reports during the last 72+ hours about a “massive” “global” “distributed” brute force attack on WordPress systems.
Brute force attacks are ongoing, and this is simply an increase in frequency. To protect yourself, make sure all default accounts like “admin” have been deleted or renamed and that your passwords are very difficult to guess. A brute-force attack is a relatively unsophisticated attack where one or more remote machines try to guess your password.
The more successful attacks are attacks where a back-door known only to a hacker (a zero day vulnerability) is exploited to gain access to your system without logging in. The Timthumb vulnerability which I discovered and fixed last year is an example of this. I haven’t seen any reports of a new “zero day” vulnerability being exploited in this attack.
The nature of the attack does suggest that a large portion of the brute force attacks currently underway may be originating from an individual or a single group. If successful this will result in a single individual or group having access to a large distributed network of compromised WordPress servers on relatively high bandwidth links. They can then launch further attacks from this platform. However, whether the attacks are being orchestrated by one person or one group should not affect how you protect yourself.
In this case:
- Install Wordfence and configure lock outs for multiple login attempts
- Make sure your “admin” account has been renamed.
- Make sure all your passwords are difficult to guess.
- Make sure you’ve disabled and deleted all unused themes and plugins.