There have now been several large scale WordPress wp-login.php brute force attacks, coming from a large amount of compromised IP addresses spread across the world since April 2013.
A large botnet of around 90,000 compromised servers has been attempting to break into WordPress websites by continually trying to guess the username and password to get into the WordPress admin dashboard.
You can quickly review WordPress login attempts to see if your site has recently been under attack.
Global WordPress brute force attack
This issue is not isolated to InMotion Hosting, and was affecting multiple providers.
General WordPress brute force protection
While we do HIGHLY recommend implementing as many secure solutions as possible for WordPress. The following guides would be a great first step in protecting yourself and your WordPress site from further attacks.
InMotion Hosting’s defense plan
Our senior system administration team has rolled out a fleet wide security policy to help contain these attacks.
We are proactively protecting our customers to help stop the spread of further attacks. These malicious bots are trying to break into one WordPress site, and then using it as part of the botnet to begin attacking other sites.
InMotion Hosting customers locked out of WordPress, please follow this specific guide:
Helping the community
I took place in an almost 2 hour Google+ hangout with the WordPress Bay Area Foothills Meetup Group consisting of some InMotion customers as well as other WordPress users.
In this hangout I covered this WordPress brute force attack, and walked them through this article as well as answered other WordPress security related questions.
10 recommended steps to lock down and secure WordPress
1. Use a strong password
Minimum password recommendations:
Example weak password: secret1
Improved strong password: Z#hupsZ2M4!Z
Take a look at how to create a secure WordPress admin password for easy steps.
2. Change default WordPress admin username
When installing WordPress by default the administrator user has the username of admin.
The botnet attack is currently only targeting this default username, so even having an administrator username of admin123 could signifiantly reduce the likilhood of your site being succesfully logged into by a malicious user.
3. Lock down WordPress admin access with .htaccess
Utilizing a WordPress brute force plugin for this type of attack is not very efficient, and in some cases can actually lead to your site becoming unavailable due to the large amount of processing power used to attempt to challenge each and every malicious login attempt.
Setup a secondary level password to prevent unauthorized WordPress wp-admin and wp-login.php attempts.
Or you can rely on the information we have on limiting WordPress admin access with .htaccess.
4. Temporaily disable CPU intensive login limit plugins
Blocking this attack with .htaccess rules is the preferred method, as login limiting plugins can not only lead to issue with triggering our own internal security rules, but they also will not be effective in this type of large scale attack.
5. Scan website for hacks, check Google Safe Browsing
If your WordPress site had been successfully compromised, a clear indication will usually be found either by a surface security scan of the website, or it will also get reported to Google’s Safe Browsing.
Check Google’s safe browsing for your domain, at google.com/safebrowsing/diagnostic?site=example.com
6. Setup CloudFlare DNS level protection
Due to the large scale of this botnet attack, CloudFlare has offered DNS level filtering for this attack on all of their free accounts.
While probably not an ideal solution if you have many WordPress sites due to having to update the name servers for each domain, and then waiting typically 24-36 hours for DNS propagation. Single site owners might benefit greatly from this type of protection which should block the botnet requests from even making it to the server in the first place.
7. Backup WordPress
At this point it’s probably a good idea to backup WordPress just in case. That way, as the attacks continue, you’re ensured that you always have a good point to restore back to in the event something goes bad.
Backing up your data
Restoring your data
8. Update everything WordPress
To protect yourself from any known exploits to WordPress you should update everything related to WordPress:
Necessary updates to make:
9. Clean up hacks
If your website has been the victim of a hack, you can follow my guide on how to reinstall WordPress after a hack for steps on cleaning it up and getting back in business.
10. Other general WordPress recommendations
Hopefully your WordPress website should be locked down and secure now, which should help prevent our own internal security rules from blocking your own access to your WordPress admin.