A a significant number of brute-force dictionary-based attack being launched at WordPress blogs worldwide, that aim to find the password for the 'admin' account that every WordPress site sets up by default.
HostGator's analysis found that this is a well-organized and very distributed attack. The company believes that about 90,000 IP addresses are currently involved.
"Symptoms of this attack are a very slow backend on your WordPress site, or an inability to login. In some instances your site could even intermittently go down for short periods," explains Hostgator's Sean Valant.
To mitigate the attack, Admin's are advised to change the passwords as well as password-protecting all wp-login.php files on the server via .htaccess.
CloudFlare's, founder and CEO Matthew Prince said that the hackers control about 100,000 bots, and that it saw attacks on virtually every WordPress site on its network.
Here are the steps to password-protect wp-login.php via .htaccess:
There are two (2) steps in accomplishing this. First you need to define a password in the
.wpadmin file, and then activate the security in the
- Create a file named .wpadmin (or your choice) and place it in your home directory, where visitors can't access it--for example
/home/username/.wpadmin(where "username" is the cPanel username for the account.)
All domains under the home directory will share this file.
Now enter a username and encrypted password inside the ".wpadmin" file, using the format:
Or, use the following steps to generate a file for you:
- Visit: this link
- Use the form to create the username and password.
- Login to cPanel in another window or tab.
- Click on File Manager.
- Select Home Directory.
- Check Show Hidden Files (dotfiles) if not already checked.
- Click on the Go button.
- Look for a ".wpadmin" file.
- If one exists, right click on it and select Code Edit to open the editor. Click on the Edit button to edit the file.
- If one does not exist, click on New File at the top of the page, and specify the name as ".wpadmin" (with the dot at the front) and click on the Create New File button.
- Paste the code provided from the website in step 2.
- Click on the Save Changes button when complete.
- You can Close the file when finished.
As an alternate, you can also create a password file via SSH / Command Line--an example would be to do this:
htpasswd -c /home/username/.wpadmin john
You would then be prompted to enter the password you wish to use for the username "john" in order to access the wp-login page.
- Update the .htaccess file in your public folder say for example:
/home/username/.htaccessfile. Note: replace "username" above with your cPanel username.
ErrorDocument 401 "Unauthorized Access" ErrorDocument 403 "Forbidden" <filesmatch "wp-login.php"> AuthName "Authorized Only" AuthType Basic AuthUserFile /home/username/.wpadmin require valid-user </filesmatch>
WordPress founder Matt Mullenweg notes, those still use "admin" as a username on their blog, should change it, use a strong password. Or, turn on two-factor authentication, in addition to having an latest version of WordPress.
In a related news, Microsoft Canada with IdeaNotion is offering 200 people a $50 Visa Gift Card as reimbursement for your Windows Store Developer Account cost--"if you turn your WordPress Blog into a Windows 8 app."
IdeaPress also allows these apps to be updated instantly whenever a new blog entry is posted on the corresponding WordPress site.
To get the gift card, "all you need to do is publish an app using the template on Github or the IdeaPress tool which will enable you to quickly and easily make a Windows 8 app from your WordPress blog. Then be one of the first 200 people to email IdeaNotion with your information," explains Microsoft.
"IdeaPress tool employs an easy to use wizard with the end result as being either a Visual Studio solution or an Appx package that you can have directly published onto the Windows Store."