WordPress is used by about 15% of the top 1 million web sites on the web and manages about 22% of all web sites as of August 2011. It has only been growing since then. Indeed, a large fraction of our hosting clients use WordPress, as does LuxSci for many different applications (e.g. blog, server status, video blog, etc.).
Unfortunately, WordPress has a history of being attacked, having significant security vulnerabilities, and being a source of security pain for web site administrators.
Things have gotten markedly worse recently:
- Bot Net Attack: Wordpress sites all across the Internet are being attacked by a botnet that is attempting to guess administrative and user credentials by brute force. This is compromising sites and causing significant load on web hosting servers. This attack is “light” now, but expected to get only worse says CloudFlare, a cloud security firm. Indeed, LuxSci.com sees these attacks constantly on all WordPress sites that we host. We have measures in place to auto-block IP addresses that appear to be attacking WordPress sites; however, as the attack is coming from more than 90,000 different, unrelated IP addresses, they are hard to block outside of WordPress itself (see below for how to block them). These attacks are going after “wp-login.php”, the user name “admin” and trying the most common 1000 or so passwords. Besides that, the sheer burden of the massive, if simple, attack is straining web hosting servers across providers.
- Vulnerabilities: Most problems with compromised WordPress sites arise due to vulnerabilities in the WordPress software or installed plugins. Vulnerabilities are continuously found and corrected and new versions of the software released. However, the vast majority of WordPress sites do not update their software, or seldom update. Attackers troll the Internet looking for outdated WordPress installs and then attack them with known vulnerabilities to gain control over these sites. With more and more WordPress sites out there, there are more and more sites that are not keeping abreast with security updates. They are ripe for the picking.
Read the rest of this post »