Thousands of WordPress installations are allegedly at risk from an automated botnet that attempts to guess passwords for administration accounts. Like many web applications, WordPress does not perform failed-login-throttling by default - this means that automated tools can make as many attempts to guess passwords as the network connection can handle. Someone has built a tool that can do this automatically, and it appears to leverage each successful compromise to add a new node to the botnet that is performing the attack.

If you have a WordPress installation with a simple admin password (numbers, letters, less than 10 characters), consider upgrading the strength of your password right away - more than 12 characters and a mixture of uppercase/lowercase/digits/special characters should help strengthen your website's security. Also consider installing a throttling plugin (or apache mod-security) to enforce a timeout on failed login attempts.

WordPress's ability for administrators to use the website to edit PHP files directly makes it a ripe target for attacks - once an attacker has taken control of an administrative account, they can immediately begin injecting their own PHP code into the website. If you are the administrator of a WordPress system, you should consider finding a way to disable the ability of Admin accounts to write to files on the server.

Related Links

• TechCrunch: Hackers Point Large Botnet At WordPress Sites To Steal Admin Passwords And Gain Server Access
• ArsTechnica: Huge attack on WordPress sites could spawn never-before-seen super botnet
• KrebsOnSecurity: Brute Force Attacks Build WordPress Botnet
• PC Magazine: WordPress, Joomla Sites Under Brute-Force Password Attack
• Ubergizmo: Fix For Recent WordPress Brute Force Attack Is Easier Than You Think
• Ma.tt: PASSWORDS AND BRUTE FORCE
• US-CERT: WordPress Sites Targeted by Mass Brute-force Botnet Attack