A day on the internet wouldn’t be complete without news of a major hacking event. Today’s unfortunate victim? WordPress. We’re not talking about the organisation, but the great many blogs powered by the flexible content management system.
WordPress co-founder Matt Mullenweg today posted on his blog that some 90,000 IP addresses hosting the software are being subjected to attacks focused on brute-forcing the password for the default “admin” account. He mentions that users with blogs on WordPress.com can enable two-factor authentication, while all users should rename the “admin” account.
“Do this and you’ll be ahead of 99% of sites out there and probably never have a problem,” he states.
As noted by TechCrunch’s Frederic Lardinois, the attack is likely being executed by a network of low-powered home PCs — bots — with content delivery provider Cloudflare concerned it could be an attempt to recruit more powerful machines.
We’ve pointed out before that securing your WordPress site is not a complicated process and the time it takes could save you a lot of pain if someone decides to target your site. Now is as good a time as any (scratch that, it’s the perfect time) to double-check that your installations are secure and up-to-date… and not using the admin account.