WordPress, the web platform which powers around 17% of the world's websites and blogs*, has been attacked by a botnet of tens of thousands of individual computers. The attack comes just after WordPress increased security with optional two-step authentication login.
The botnet – a network of hijacked home computers typically controlled by a criminal gang – targets users with the username "admin", then attempts to gain entry using thousands of possible passwords.
WordPress founder Matt Mullengweg blogged: "Here's what I would recommend: If you still use 'admin' as a username on your blog, change it, use a strong password."
Advice for WordPress site administrators:
– Keep your WordPress site regularly updated (remember to always take a backup of your database before doing so)
– Keep regular backups
– Install an encrypted login plugin
– Do not advertise that your website is a WordPress site: hide "Powered by WordPress"
– Change admin username
– Move the wp-config file