Massive attack targeting weak password in WordPress

An organized massive "brute force" password attack attempting to break in, user account of WordPress websites. The attack used a database of common user names and passwords to conduct "brute force" password attack. The following are some related articles:

1. WordPress blogs and more under global attack - check your passwords now! [nakedsecurity]
2. Brute Force Attacks Build WordPress Botnet [KrebsonSecurity]

Who need to concern

1. Users who use WordPress to build a website.
2. Companies which provides WordPress website hosting service.

Recommendations

Detection and Recovery

If you find an unknown administrator account on WordPress, your system may be hacked. You can fix it with the following steps:

1. Login administration panel, remove all unknown administrator account.
2. Change password of all administrator accounts (Please use a strong password).
3. Change the Secret Key in WordPress.［Detail］
4. Or, re-install the WordPress or recover to a known and secure copy of backup

Prevention

This incident reflects that many WordPress administrators did not securely configure the system. The following are some security measures:

1. For personal user
   If your password contains upper- and lower-case letters, numbers, symbols (^%$#&@*) and minimum 10 characters in length, you do not need to change it. However, if you are using a common password, we suggest you to change password.

2. For web hosting service providers
   Suggest your users to setup a password contained upper- and lower-case letters, numbers, symbols (^%$#&@*) and minimum 10 characters in length; or use password rules to enforce your users to input a strong password. At the same time, setup a limit of incorrect password attempt to avoid brute force attack.

3. No matter you are a personal user or a web hosting service provider, you may consider to change the default setting during installation, including the administrator account, the path name of administration panel and the login URL. This can prevent scanning attacks.

4. WordPress is a web application which is vulnerable to application attacks. User can setup an application firewall in front of the server to filter out improper accesses.

5. WordPress provides many security setting and plug-in for WordPress administrators. Here is a list of some useful ones:
   • WordPress 2-step verification
     This plug-in adds an extra layer of security to your WordPress Account. It has to work with Google 2-step verification.
   • Limit Login Attempts
     This plug-in blocks login attempts after a specified limit on retries is reached, making a brute-force attack difficult or impossible.
   • Stealth Login Page
     This plug-in protects your default login pages from being accessed by obscuring the WP login form URL.
   • Securing /wp-admin
     http://codex.wordpress.org/Hardening_WordPress#Securing_wp-admin
     Adding server-side password protection (such as BasicAuth) to /wp-admin/ adds a second layer of protection around specified blog area.
   • Simple Login Log
     This plugin keeps a log of WordPress user logins.
   • WordPress File Monitor Plus
     This plug-in can monitor files under your WP installation for changes. When a change occurs, the administrator is notified via email.
   • File Permissions
     http://codex.wordpress.org/Hardening_WordPress#File_Permissions
     Hardening WordPress by setting up a file permission scheme.
   • Disable File Editing
     http://codex.wordpress.org/Hardening_WordPress#Disable_File_Editing
     Hardening WordPress by setting a constant to disable editing from Dashboard.
   • Wordfence Security
     This plug-in provides some features of firewall, virus scanning, real-time traffic with geolocation and more.