Attacks on WordPress sites? [if using WP please read]

[Reikun]

This article from ArsTechnica popped up on my twitter feed: http://arstechnica.com/security/2013/04 ... er-botnet/

I know a lot of VN circles/creators use WordPress for their sites so I figured I'd post this here as I'm not sure people are aware of this. I'm not skilled with WP/CMSs so I can't offer up much advice about what to do from here. Maybe some more versed forum members can shine some light on the best course of action? Is what the Ars article suggests sufficient?

I'm also pretty sure this mostly refers to sites using WP as an installed CMS on their own host and NOT free blogs via wordpress.com (though those could possibly be affected too).

Stay safe, everyone.

[CheeryMoya]

Well, shit.

All of the articles I'm finding don't make the clear distinction between WordPress.com or WordPress.org, but this techcrunch article says:

If your site is hosted on WordPress.com, you can also turn on two-factor authentication to add an extra layer of security.

Which means they're probably assuming you're hosting your own WP-powered site.

Everyone better change their password pronto, hopefully that'll keep them out. Ugh :/

[leon]

According to CloudFlare's Prince, the distributed attacks are attempting to brute force the administrative portals of WordPress servers, employing the username "admin" and 1,000 or so common passwords.

The attack is only woulnarable to sites that are using weak (most commonly used) passwords. So no reason to panic - just change your password to something strong, if it's not already, and you should be safe.

[Maelstrom-Fenrir]

According to CloudFlare's Prince, the distributed attacks are attempting to brute force the administrative portals of WordPress servers, employing the username "admin" and 1,000 or so common passwords.

The attack is only woulnarable to sites that are using weak (most commonly used) passwords. So no reason to panic - just change your password to something strong, if it's not already, and you should be safe.

So would a 25 character password be strong enough?

[SundownKid]

I believe that you can delete the "admin" account and switch to a different username as well, making that one administrator.

[leon]

This attack seems to attempt 1000 most commonly used password (probably things like "user", "admin", "password", ...), so only very weak passwords are voulnarable.
Yes, 25 characters would be a bit of an overkill actually. Something like 10-12 characters should be very safe, but you should also make sure to include lovercase, upercase character(s), number(s) and special character(s). For example: 4Rh9m7rd9oDN;
I use an application called LastPass, which generates strong passwords, as well as automatically enters them to website logins. With it I don't have to deal with logins, while keeping all my passwords secure. It made my life a lot easier...

[arachni42]

This attack seems to attempt 1000 most commonly used password (probably things like "user", "admin", "password", ...), so only very weak passwords are voulnarable.

Well, that much is comforting; it would be extra scary if they tried to brute force all the passwords.

Yes, 25 characters would be a bit of an overkill actually. Something like 10-12 characters should be very safe, but you should also make sure to include lovercase, upercase character(s), number(s) and special character(s). For example: 4Rh9m7rd9oDN;

I agree that 25 is overkill for today's computers, although it doesn't really hurt (except in wear and tear on your fingers for typing it)! I have a slightly different opinion on random passwords, though. I used to use them (and still do), but I'm really coming around on pass phrases. Length alone can make a password impractical to brute force, but 4Rh9m7rd9oDN; is a lot harder to remember than renpywhereforeartthourenpy, and the latter is wayyyy longer. And for the lazy people, I also bet there are a lot more common phrases than 1000. This about sums it up:
http://xkcd.com/936/

[Tempus]

I use nonsense pass phrases that amuse me. For sites that I don't visit very often (and hence haven't memorised the pass phrase), I just write them on a scrap of paper at my desk. An example would be something like:

• Juan day, I'll eat 50phor burritos!
  (One day, I'll eat fifty-four burritos!)

I dunno about anyone else, but that kind of thing is easy for me to remember. Plus, it's mixed case and contains numerals, spaces and grammar.

[Greeny]

Oh my god, they're going to assassinate the internet!

[leon]

This attack seems to attempt 1000 most commonly used password (probably things like "user", "admin", "password", ...), so only very weak passwords are voulnarable.

Well, that much is comforting; it would be extra scary if they tried to brute force all the passwords.

Another way to avoid it would be to simply change the username like SundownKid suggest it. But this applies only to this particular attack; hackers use all sort of other attacks too - better be safe than sorry.

Length alone can make a password impractical to brute force, but 4Rh9m7rd9oDN; is a lot harder to remember than renpywhereforeartthourenpy, and the latter is wayyyy longer. And for the lazy people, I also bet there are a lot more common phrases than 1000. This about sums it up:
http://xkcd.com/936/

The 'difficulty to guess' in that comic applies to brute force (trying every character combination), but if using combinations of common words, a variation of a dictionary attack (trying the words in the english dictionary) would probably crack it pretty fast. Using uncommon words like (like renpywhereforeartthourenpy) or nonsense pass phrases as Tempus suggested should strengten the password significantly.

Another thing to consider is that you should use a different password for every site or service you use. If you use a single password and a hacker gets their hands on it, they'll have instant access to all your sites. I think the ultimate sollution is to use an application like lastpass, which allows you to stay much more secure and pretty much forget about having to ever deal with those pesky passwords.