WordPress users urged to change passwords after botnet attack

WordPress users and Internet administrators are this week picking up the pieces from a sweeping cyber attack on the popular blogging platform.

The unidentified perpetrators are believed to have built a botnet to launch attacks from thousands of unique IP addresses in the operation, which is still putting WordPress users at risk.

As pointed out by the service’s co-founder Matt Mullenweg, many of those who joined the site in its early days adopted the default username ‘admin,’ and as such the attackers tried their luck by allying this username with thousands of different passwords to breach the maximum number of accounts possible.

“Here’s what I would recommend: If you still use “admin” as a username on your blog, change it, use a strong password, if you’re on WP.com turn on two-factor authentication, and of course make sure you’re up-to-date on the latest version of WordPress,” writes Mullenweg on his blog. “Do this and you’ll be ahead of 99% of sites out there and probably never have a problem.”

With Wordpress thought to power over 60 million websites worldwide, the implications for the wider Internet are significant.

DNS service CloudFlare is currently in the process of repairing the breach and assisting customers who have been compromised by the WordPress attack. “We just pushed a rule out through CloudFlare's WAF that detects the signature of the attack and stops it," the company reports.

"Rather than limiting this to only paying customers, CloudFlare is rolling it out the fix to all our customers automatically, including customers on our free plan. If you are a WordPress user and you are using CloudFlare, you are now protected from this latest brute force attack.”