According to an article in Ars Technica, security experts at several companies are warning of a widespread attempt to compromise and take over WordPress administration accounts. The bad guys are using a separate botnet (presumably one comprised of compromised home machines) to run brute force attacks on WordPress installations across the web.
According to CloudFlare’s Prince, the distributed attacks are attempting to brute force the administrative portals of WordPress servers, employing the username “admin” and 1,000 or so common passwords. He said the attacks are coming from tens of thousands of unique IP addresses, an assessment that squares with the finding of more than 90,000 IP addresses hitting WordPress machines hosted by HostGator.
Because of the relatively basic nature of the attack, those who change the admin name from the default (“admin”) and use secure passwords. (It’s best to follow WordPress’s suggestions on password security, or to use some other relatively rigorus system for deriving your password.*)
And, obviously, this hacking attempt exploits human weakness — not an exploitable weakness in the WordPress content management system, itself.
Still, it’s never too late to check your own password. Hackers halfway around the world probably won’t know your dog’s name or the name of your high school team, but your ex-spouse, co-workers and many more folks just might. And if they want to play a ‘little trick’ on you, if you have obvious user names and passwords, you make that easy.
(Don’t forget the fellow who got federal time for ‘hacking’ Sarah Palin’s email account simply found her email address and then guessed her password, which, if we recall correctly, was something really obvious like a pet or kid name. That it was easy didn’t keep him out of federal prison, though.)
You can be assured that TKM WebWorks will be monitoring this situation and, as always, working to keep your sites working and uncompromised, whether they use the WordPerfect CMS or not.
Ars Technica: Huge attack on WordPress sites could spawn never-before-seen super botnet
* A good, hard to crack, all-but-impossible-to-guess password doesn’t have to be hard to remember. You can use random combinations of letters, numbers, and symbols, but that means you’ll probably have to cut and paste it — unless, perhaps you create a ‘mnemonic’ acronym — a password that ‘stands’ for a phrase. For instance, you could use nitt4agm2c2taotc — almost impossible to guess (or remember) unless you know it stands for now is the time for all good men to come to the aid of the country. (Obviously, you don’t want to use such a phrase that will pop to the lips of the many. You want one that you can remember but that isn’t ‘obvious.’)
Another system for creating quite secure passwords is to simply create a phrase of four or more unrelated words. (Of course you can also stick numbers or other characters in such a phrase, making it even harder to guess.) Such pass phrases may not be quite as secure as random strings of characters, numbers, and symbols, but they nonetheless require long periods of dictionary attack to crack. (So-called dictionary attacks, which take valuable resources and considerable processing time and so are typically the province of targeted attacks — not the sort of random, low-hanging fruit collection of the above-referenced WP attack.