Wordpress Sites Under Wide-Scale Brute Force Attack 110
New submitter NitzJaaron writes "Some of us have been experiencing attacks on Wordpress sites for the last few days, but it's now beginning to be widely reported that there's a fairly large brute force attack happening on Wordpress users on multiple hosts, including HostGator and LiquidWeb. 'This attack is well organized and again very, very distributed; we have seen over 90,000 IP addresses involved in this attack.' CloudFlare has announced that they're giving all users (free and paid) protection from said attacks with their services. 'The attacker is brute force attacking the WordPress administrative portals, using the username "admin" and trying thousands of passwords.'"
Further reports available from Immotion hosting and Melbourne server hosting.
Seems like..... (Score:3, Insightful)
limit login attempts (Score:5, Insightful)
advising all our clients who use WordPress to install an additional plugin 'Limit Login Attempts' that will help to prevent brute force attacks
Not being familiar with wordpress, I'll ask why isn't that on by default?
Re:limit login attempts (Score:5, Insightful)
Because it increases the number of support requests dramatically.
Re:limit login attempts (Score:4, Insightful)
>>advising all our clients who use WordPress to install an additional plugin 'Limit Login Attempts' that will help to prevent brute force attacks
> Not being familiar with wordpress, I'll ask why isn't that on by default?
What could be a simpler way to deny an administrator access to his own account than by a "limit login attempts" that limits attempts on a per-account basis (vs a per-IP address basis)?
And if the attack is "one attempt per site per zombie", limiting on a per-IP basis has no teeth.
<ignorant_speculation>Of course, if you have created an admin account that's not NAMED admin, you won't be locked out. And if you change the account named "admin" to having lower privileges, even better.</ignorant_speculation>