14 DAY TRIAL // Over the past few days, several web hosting companies have reported seeing brute-force attacks being launched against websites powered by Joomla and WordPress.
The attackers are using a botnet with more than 90,000 servers to break into the websites’ administrator panels by attempting to “guess” the username and the password.
Security firm Sucuri reported blocking 773,104 attacks in the first 10 days of April.
Hosting providers such as HostGator, InMotion Hosting and Melbourne Server Hosting are advising their customers to update their administrator passwords to something very secure.
The issue is so serious that even WordPress founder Matt Mullenweg has published a blog post on the topic.
“Almost 3 years ago we released a version of WordPress (3.0) that allowed you to pick a custom username on installation, which largely ended people using ‘admin’ as their default username,” Mullenweg explained.
“Right now there’s a botnet going around all of the WordPresses it can find trying to login with the ‘admin’ username and a bunch of common passwords, and it has turned into a news story.”
He advises users who still use “admin” as a username to change it and set a strong password. In addition, customers are recommended to enable two-factor authentication and ensure that their WordPress installation is up to date.
“Do this and you’ll be ahead of 99% of sites out there and probably never have a problem,” Mullenweg noted.
In the meantime, web performance and security company CloudFlare has published a rule through its web application firewall to block these attacks.
“We just pushed a rule out through CloudFlare's WAF that detects the signature of the attack and stops it. Rather than limiting this to only paying customers, CloudFlare is rolling it out the fix to all our customers automatically, including customers on our free plan,” CloudFlare CEO Matthew Prince wrote in a blog post.