WordPress is under attack

Attacks on websites, their content management systems and their SQL databases are becoming more pervasive. To me it just seems impossible to be able to fully secure a website anymore. Especially when hackers like those from Anonymous can easily break into a number of local and federal government run web properties and deface them at will.

This past week the web hosting company that I host this blog on was under a major bot net attack that affected numerous CMS’s including Joomla and WordPress.

From 1 & 1 Internet Inc. –

Brute Force attacks on WordPress and Joomla installations:

For several days, we’ve encountered an attack on the installations of different Content Management Systems (CMS) which has affected several hosting providers, including 1&1. Currently, WordPress and Joomla installations are affected.

Through a so-called “brute force attack”, attackers are trying to gain access and install malware on the servers.

We have immediately taken countermeasures; therefore, some customers may encounter a reduced availability of the following services:

– Access to customer websites
– FTP access to webspace
– Administration of content management systems such as WordPress and Joomla

For almost two days last week my website was inaccessible. This was part of the countermeasures that 1 & 1 Internet took to disallow the bot net from hammering away on the admin side of my WordPress blog.

When I took to Twitter I could see that the situation had escalated and the frustration was a bit more widespread.


Later that day the company started tweeting about the attack from their Twitter support account.

Eventually full access to my website was returned to me by 1&1. A day later I saw that WordPress co-founder Matt Mullenwug posted about the brute force attacks. It turns out that this attack was not only hitting 1&1, but several major web hosting companies.

I would highly recommend taking his advice going forward:

Here’s what I would recommend: If you still use “admin” as a username on your blog, change it, use a strong password, if you’re on WP.com turn on two-factor authentication, and of course make sure you’re up-to-date on the latest version of WordPress. Do this and you’ll be ahead of 99% of sites out there and probably never have a problem. Most other advice isn’t great — supposedly this botnet has over 90,000 IP addresses, so an IP limiting or login throttling plugin isn’t going to be great (they could try from a different IP a second for 24 hours).

Hopefully we’ll be able to withstand this bot net storm. The ultimate protection I guess would be to implement username and password authentication through an Apache .htaccess file in your wp-admin directory.

Leave a Reply

Your email address will not be published. Required fields are marked *