WordPress websites around the world are currently the target of a coordinated botnet attack. The brute force attack is targeting the WordPress administrative portals, whereby the attacker is trying to login using the username “admin” in combination with many thousands of the most common passwords.
WordPress is the most popular content management system in use on the web, powering more than 60 million websites. It is set up by default with an “admin” username as the administrator. Although WordPress has allowed users to pick a custom username on installation for over three years now, hackers are relying on people reverting to the default “admin” username. So far, this username vulnerability is fuelling the growth of an unusually powerful botnet thought to be made up of around 90, 000 web servers.
Botnets are used for malicious purposes such as spreading malware and launching distributed denial-of-service attacks (DDoS attacks) whereby a machine or network becomes unavailable to it’s intended users.
Right now there’s a botnet going around all of the WordPresses it can find trying to login with the ‘admin’ username and a bunch of common passwords, and it has turned into a news story (especially from companies that sell ‘solutions’ to the problem)
- Matt Mullenweg, founder of WordPress.
WordPress users are urged to change their username if they are using “admin”, use a strong password and update to the latest version of the software.