There is currently a very large, ongoing attack against WordPress websites. It’s been going on for a while now, but has severely escalated in the last week.
Basically there are illegal “bots” (or computers) that are attempting to brute force attack WordPress websites. What this means is they have a computer setup to attempt to login to WordPress sites. Brute force just means that it will sit there and keep trying usernames and passwords, hundreds per minute until it figures out how to get in.
If you use a very easy password, this won’t take long – if you have a complex password it may take them a long time, or be nearly impossible. If you missed my recent blog about password security check it out.
If you have a WordPress site, what can you do? There’s a free plugin called “Limit Login Attempts” which will track failed login attempts and if there are a certain number of failed login attempts (4 or 5) in a short period of time, it will block the IP address for 24 hours. You’ll also want to make sure that you’re as up to date as possible, including your WordPress core and plugins. You also want to be sure you’re doing regular backups of your site. I recommend Backup Buddy plugin for that.
If you’re an active client of mine, then I’ve already taken care of that. If you’ve got a WordPress site and you’d like some help hardening up the security, please let me know – that is a service I can most certainly provide. Please feel free to contact me if you need assistance.
Why are WordPress sites under attack? It’s a “free” blog/content management platform, does this mean it’s insecure? Absolutely not, I’ve gone through a lot of WordPress training in the last few months, it’s a VERY secure system. But it’s also VERY common. Over 80 million websites. 1 in 5 new websites are using it. So if you’re going to hack something, and it’s a gamble about who you might be able to hack, you might as well go for what’s most common, to gain the most results. And that’s why they target popular software.