Skip navigation
Currently Being Moderated

OT: WordPress Brute Force Attacks

Apr 19, 2013 12:01 PM

Tags: #wordpress #hackers

I received this from my web host.  Thought I would pass it along to all interested WordPress users.

 

Since yesterday morning, [My Hosting Company]'s internal monitoring systems

reported that WordPress users were subject to an unusually high number

of attacks.  Brute force attacks occur through exploited accounts at

other hosting companies.  The attacks are attempts to find users that

have weak passwords and outdated installations.  Once the attacker has

found a WordPress account with a weak password, it’s used to gain

access to the administration panel.    Outdated versions of WordPress

scripts are exploited and used to attack other hosting companies.

[My Hosting Company] has implemented additional security tools and is carefully

monitoring traffic.  However, the best form of protection against

these attacks begins at the customer level.   A tutorial for securing

your WordPress is posted at

http://www.lpwebhosting.com/blog/bulletproofing-your-wordpress-site-ag ainst-a-brute-force-attack.

 

This particular attack is focused on WordPress users.  It’s important

to note that the attacks could just as easily be focused on any

application.    The reports are not limited to our network.  Reports

from all of the major hosting companies confirm that this is a wide

spread situation.

 

 

Nancy O.

 
Replies
  • Currently Being Moderated
    Apr 19, 2013 12:40 PM   in reply to Nancy O.

    I read the following in late March:

     

    http://arstechnica.com/security/2013/03/how-i-became-a-password-cracke r/

     

    And I have advised my clients to use at least 9 characters in their passwords.

     

    I have my hosting provider's password generator create passwords for my accounts. Since Dreamweaver is very good at storing these and also since they're available in plain text with Keychain Access on my Mac (good job, Adobe programmers!) I can always retreive them.

     

    The generated passwords are at least 12 characters long, contain both upper and lower case characters, symbols, punctuation and the like.

     

    Of course if this is a DDOS attack, that won't help…

     
    |
    Mark as:
  • Currently Being Moderated
    Apr 19, 2013 9:22 PM   in reply to mhollis55

    You could get your clients to use something like KeePassX  and generate maximum length random passwords for each of their accounts.

     
    |
    Mark as:

More Like This

  • Retrieving data ...

Bookmarked By (0)

Answers + Points = Status

  • 10 points awarded for Correct Answers
  • 5 points awarded for Helpful Answers
  • 10,000+ points
  • 1,001-10,000 points
  • 501-1,000 points
  • 5-500 points