Those reading this weblog likely know that it is based on the popular WordPress application. I know many individuals and organizations who use this application. Some time ago, I provided a post dealing with WordPress security (and I recommended a number of plugins and techniques to minimize potential threats). Since this post was done some time ago, I thought it might be helpful for readers to have a clear understanding of the constant level of attacks experienced by WordPress sites. Obviously I run more than one. You may find it interesting to learn that I decided to track the number of malicious attacks my sites have experienced for one month (October, 2012). Over 50 malicious attacks were experienced during the month. This equates to at least one of my WordPress sites being attacked every day of the month (actually more often).Here are some of the raw statistics which you may find interesting (along with my notes). A total of 53 separate attacks were launched against WordPress sites I administer during the month of October, 2012. As best as I can determine, none of these attacks were successful.
Of the above attacks, there were 42 separate instances where individuals tried to login to the site (by providing guessed usernames and passwords). These are not single attempts, these are repeated attempts using dictionary attacks against various guessed usernames. Of these login attempts, 62% used the default username (admin) which is provided when one initially installs a site. Mark’s helpful hint – don’t ever accept a default username (like admin). Change it to something complex and not easily guessed. If not, people will run password guessing programs against your site repeatedly. Note that I use a WordPress plugin to lock a given IP address from accessing the login page after a set number of failed attempts. I recommend readers do the same. The remaining 38% of attempted login attacks used words commonly found in dictionaries. Another reason to include random values in your usernames (note that you can display anything you want for the blog post; it doesn’t have to tie to the username). If any attackers are reading this, it is probably a safe bet that I am not using a username which is the same as the name you see for the individual who posted this.
That leaves another 11 separate attacks which were much more malicious. In all instances these attempted to upload an executable file to the server. The attacker tried (unsuccessfully) to upload a PHP file which could then be accessed in their browser and executed. If any of these attacks had worked, the server would have been compromised and the attacker could have gained access to the entire site. If you are interested in learning more about the various attacks one may encounter on a WordPress site, Matthew Pavkov provides a nice overview of these types of attacks. Protect yourself against all of these at a minimum.
In addition to tracking attacks, I also track where the attacks originate from. Yes, I realize that these locations can be spoofed. However, I thought you might like to know where they appear to come from. Here is a complete and alphabetized list of locations for the attacks I experienced during the month of October, 2012).
- United States (mostly California)
Yes, I continue to monitor my sites and investigate all access attempts. If you are running WordPress, I strongly recommend using complex usernames (never the default admin); strong, long, and complex passwords and preventing various attacks (like file uploads).
As always, I am interested in your comments and insights. Yes, I must approve each comment (and will as long as it is not spam).