Wordpress under attack

**SimonMac** · 15 April 2013, 10:06

I assume like the majority of attack these day's people exploit the laziness or lack of knowledge that most people have, I am using WordPress › Better WP Security « WordPress Plugins to take the basic vulnerabilities away

**yasockie** · 15 April 2013, 10:30

or get Wordpress hosted on wordpress.com or even get wordpress VIP (see qz.com as an example - they're not getting hacked, are they?)
It's an interesting thing, because WP is so popular it makes sense to attack.
Custom or less popular systems are not really any more or less secure, they're just less popular so that there is less incentive to attack them..

**d000hg** · 15 April 2013, 10:57

Originally posted by yasockie View Post

Custom or less popular systems are not really any more or less secure, they're just less popular so that there is less incentive to attack them..

I think in general they are very much less secure because they don't have all the holes found and fixed, and they don't have a team continually working on them and rigourously testing the security.

**SimonMac** · 15 April 2013, 11:19

Its like the old story about Mac's not needing Anti Virus because there are less of them so they are less appealing targets for hackers etc. One vulnerability on a system with hundreds of millions of users is a better return than dozens of vulnerabilities on a system with a few thousand users.

**Sysman** · 15 April 2013, 12:11

Originally posted by SimonMac View Post

Its like the old story about Mac's not needing Anti Virus because there are less of them so they are less appealing targets for hackers etc. One vulnerability on a system with hundreds of millions of users is a better return than dozens of vulnerabilities on a system with a few thousand users.

It depends what the bad guys' aims are.

Stuxnet demonstrated that for high value or strategic systems it can be worth a lot of effort targeting relatively few systems.

**administrator** · 15 April 2013, 13:38

From the article:

..those responsible for this crime campaign are scanning the Internet for WordPress installations, and then attempting to log in to the administrative console at these sites using a custom list of approximately 1,000 of the most commonly-used username and password combinations.

So they are just using brute force - no new-found security flaws with WP, just bad password management.

**Jessica@WhiteFieldTax** · 15 April 2013, 13:52

I run our firms web site in WordPress.

I have an alert on bogus logins, and last week in went into overdrive

Fortunately I have security plugins, including IP banning after 5 incorrect logins.

One basic additional thing I've done though - and in retrospect it seemed so basic that I don't know why I didn't do it before - is to loose the "admin" user name.

But brute force is difficult to resist. Interestingly another WP site I administer had only 1/10th the number of bogus logins. Its older, but less content and less prominent on search engines.

**ThomserveBAS** · 16 April 2013, 11:23

Originally posted by SimonMac View Post

I assume like the majority of attack these day's people exploit the laziness or lack of knowledge that most people have, I am using WordPress › Better WP Security « WordPress Plugins to take the basic vulnerabilities away

Thanks for the tip about Better WP Security - I've installed it on my network of sites so hopefully improved security a little.

**NickFitz** · 16 April 2013, 18:51

Originally posted by Jessica@WhiteFieldTax View Post

One basic additional thing I've done though - and in retrospect it seemed so basic that I don't know why I didn't do it before - is to loose the "admin" user name.

This is, it seems, the single most important thing to do in the face of this attack. Here's some wisdom from Matt Mullenweg, creator of WordPress, on the matter; and an explanation of how to go about it, including the all-important step of changing attribution of existing posts so they don't disappear: Change your WordPress admin Username

Do remember to backup your database first, too

EDIT: done mine

Would have gone more smoothly if I'd remembered the bit about logging out, then back in as the new administrator - turns out WordPress won't let you delete the user you're logged in as

Wordpress under attack