A large distributed brute force attack against WordPress sites is understood to be occurring. A large botnet with more than 90,000 servers is attempting to log in by cycling through different usernames and passwords.

A study of various attack patterns has led to security software firm Sucuri concluding that the number of brute force attacks against WordPress has trebled in recent months and that reports of attacks are accurate.

Irish web hosting provider Spiral Hosting emailed its clients to advise them of the brute force login attacks.

“There is currently a large scale brute force attack coming from a large amount of IP addresses spread across the world,” Peter Armstrong, managing director of Spiral Hosting explained.

“A large botnet has been attempting to break into WordPress websites by continually trying to guess the username and password to get into the WordPress admin dashboard. This is affecting almost every major web hosting company around the world. Our Network Operations Centre (NOC) has detected a significant increase in botnet activity in the last 24 hours.”

Brute force attacks have reached epidemic levels

Armstrong continued: “Brute force attacks have reached epidemic level. Therefore, we have joined other major web hosting providers by advising all our clients who use WordPress to install an additional plugin ‘Limit Login Attempts’ that will help to prevent brute force attacks.”

Armstrong said that it is crucially important that WordPress websites are kept up to date.

“Normal security procedures include regular updates of the WordPress core files, plugins and theme files. In addition to this, we also recommend WordPress administrators change their login username from the default ‘admin’ username, use very secure passwords, and install the ‘Login Limits Attempts’ plugin or other WordPress security plugins.

“Another security risk that WordPress administrators sometime forget about are inactive themes, installed on their blog but no longer in use. The files for the WordPress themes are still located in the /wp-content/themes/ directory, and even if they’re not being used, they’re still vulnerable to being hacked/exploited if they’re not kept up to date. Therefore, we recommend WordPress administrators delete all WordPress themes except the active theme currently in use on their website,” Armstrong said.

Hacker attack image via Shutterstock