Global Resources, LLC Scam Update: WordPress Sites Are Under Attack

Our site, like many of our clients’ sites, features a WordPress blog.  Recently, we become aware that there are ongoing ‘brute force attacks’ aimed at a weakness in this platform, specifically, that WordPress allows unlimited sign-in attempts on the login page.  In this type of hacking, someone is running a program that utilizes a list of common passwords, words or letters and the bot cycles through them until gaining access.  It can run for hours, days, weeks or months.

HostGator, a major website hosting provider, reported last month that this is a well-organized, global attack on WordPress and that it has compromised over 90,000 WordPress blogs.  The reason behind the attack is unknown, as gaining administrative access to numerous blogs is not that useful, in itself, but there has been speculation that the sheer number of hacked sites may be used for mass disruption such as denial-of-service attacks in the future.

Time For Some Good News

As terrible as it sounds—brute force, this actually the least sophisticated form of hacking.  The blogs that have been vanquished were mainly due to poor username and password choices.  Number one being the bad habit of keeping the old default WordPress username of ‘admin’ (it is no longer the default, as of three years ago, with the release of WordPress 3.0).  There appears to be maybe 100 common passwords being tested by this attack, as well, such as ‘123456,’ ‘12345678,’ ‘qwerty (the top left letters on your keyword),’ and ‘abc123’ among others.

The Easy Fix:  Do Not Use ‘Admin’ As Your Username

To be better protected than the majority of WordPress bloggers out there you need only to employ a username that is not ‘admin’ (if you are still using ‘admin,’ just add a new user with admin access and then delete the old ‘admin’ user) and follow the standard advice to select a strong password by making it a combination of letters, numbers and symbols.

Be aware that your password should also not be too short or in the dictionary (as some of these attacks utilize dictionary programs to search for passwords).  If you’re uncertain of how to create a strong password, check out the many available password generators.  This is the quick and easy fix.

For the More Tech Savvy…

You may wish to investigate installing a WordPress plugin such as Limit Login Attempts, which would allow you to limit logins to a reasonable number—say three attempts within a set amount of time, or set up a two-part security authorization for login.