WordPress hit by massive botnet: Worse to come, experts warn
Summary: A massive botnet of tens of thousands of machines is attempting to hack in to weak password protected "admin" accounts of the popular blogging platform.
Blogging and website platform WordPress has been hit by a massive botnet of tens of thousands of computers, but it could be just the surface of a wider, larger attack.
The performance and security firm CloudFare warned in a blog post today that the unknown attacker is using a "relatively weak botnet of home PCs in order to build a much larger botnet of beefy servers in preparation for a future attack," suggesting a calm before a heavier storm.
The botnet is attempting to "brute force" attack WordPress websites using the username "admin", with thousands of different passwords. The botnet of machines — often individual machines infected with malware and subscribed to target servers and websites with vast amounts of data — is being used to hack web-based WordPress installations.
This botnet channels some bandwidth from individual computers infected with malware, which in mass and collectively can cause the overloading of servers. Typically, this kind of attack is either used by willing participants to cause a distributed denial-of-service (DDoS) attack against websites to force them offline, or by "slave" computers that can be used to carry out hacking attempts.
It comes only a week after WordPress enhanced user security by rolling out an optional two-factor authentication system.
WordPress founder Matt Mullenwag criticized those who were offering "solutions" to the problem, such as CloudFare, and instead suggested changing default usernames as an additional step to protect their WordPress accounts.
"If you still use 'admin' as a username on your blog, change it, use a strong password, if you're on WordPress.com turn on two-factor authentication, and of course make sure you’re up-to-date on the latest version of WordPress," he said.
"Do this and you’ll be ahead of 99 percent of sites out there and probably never have a problem."
WordPress remains a large target for hackers, which has around 64 million individual blogs and websites, with more than 370 million readers each month. Alexa ranks the blogging network as the 21 most visited site in the world.
Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.
Talkback
and it's happening to Wells Fargo too . . .
It makes you wonder..
LOL
WordPress hit by massive botnet:
Generic usernames are put in place for convenience. They are never intended to be left as default. If you have a website then you owe it to those that surf your site that it is a secure place to visit.If you build a house and do not put locks in place someone will eventually enter your home .
WordPress is a very vibrant blogging and website platform that offers a number of security plug-ins and fixes to these types of issues. It is well maintained and updated frequently and highly recommended by me.No software is impervious to attacks.
Ken Chandler
http://www.smallbusinessbranding.com/
This discussion is kinda nonsensical ...
It's a real issue, but the truth is that it takes very, VERY little to protect against this kind of thing.
Cannot change admin account username
"Change" admin account username is actually a create / delete process
The procedure is to actually delete the Admin account.
1. Log in as admin
2. Create another user, preferably with a hard to guess username
3. Assign that user Administrative privileges
4. Log out of admin, log in as the user you just created
5. Delete the Admin user
6. Assign posts, etc the new user, or another user.
7. Extra Credit: Create another user, same guidelines as above, but with editor permissions.
8. Log in as the non-administrative user when doing anything other than admin work. You don't need to be admin to blog about your cat/dog/food project/latest quilt
Change In pHpMyAdmin
Changing Usernames Is A Waste Of Time
The cause is people issue, not technical