In a brute force attack, the attacker randomly tries username/password combinations until one works. In the case of the ongoing attack against WordPress sites, the attackers are simply going after sites with the username “admin” and attempting to brute force the password.
There are a a number of things users can do to help mitigate the risk of the current round of WordPress brute force attacks.
Third party Web security services including CloudFlare and Incapsula claim to have web application firewall (WAF) rules in place that can mitigate the risk of the current attack.
Matt Mullenweg, creator of WordPress, suggests that WordPress administrators start by choosing a user name other than “admin” for the root control of their WordPress installation. Mullenweg also suggests the use of a strong password as detailed in a support note posted on the WordPress.com website.
Users of the WordPress.com hosted service now also have the option for two-factor authentication. WordPress is leveraging the Google Authentication two-factor technology to secure WordPress.com users. With two-factor authentication, a second password that is uniquely generated at specific time intervals is required to log into a site.
Read the full story at eSecurity Planet:
WordPress Sites under Brute Force Onslaught
Sean Michael Kerner is a senior editor at InternetNews.com, the news service of the IT Business Edge Network, the network for technology professionals Follow him on Twitter @TechJournalist.