For those of you who are administrators of a WordPress blog, I thought I’d pass this along so you’d know WP is having some problems.
Brute Force Attacks Build WordPress Botnet by Brian Krebs:
Security experts are warning that an escalating series of online attacks designed to break into poorly-secured WordPress blogs is fueling the growth of an unusually powerful botnet currently made up of more than 90,000 Web servers….
Matthew Mullenweg, the founding developer of WordPress, suggests site administrators chose a username that is something other than “admin”. In addition, he urged WP.com-hosted blogs to turn on two-factor authentication, and to verify that the site is running the latest version of WordPress. “Do this and you’ll be ahead of 99% of sites out there and probably never have a problem,” Mullenweg wrote.
Even if you’re not a blog administrator, you might want to check out this from Krebs:
These requirements are fairly typical of a secure password: upper and lowercase letters, at least eight characters long, and including “special” characters (^%$#&@*). For more on picking strong passwords, see this tutorial.
The top thirteen generically-chosen dictionary entries for username and password are as follows:
It’s worth a look at the list (click on the image above), if only to reassure yourself that you haven’t taken chances with any of your own passwords.
Notice also that the attackers are focusing on the username admin, used in 90% of the login attempts, because it’s the default WordPress administrative username.
Go to the links for complete information.
Image from the post by Paul Ducklin.