Keeping the default settings on any Internet-connected service is just asking for trouble. It's easy enough to scoff at people whose brilliant "12345" password fell victim to hackers, but it's just as simple to target usernames. A number of WordPress bloggers discovered this the hard way, when their "admin" accounts became part of a hostile, exploitative botnet.
The attacks began last week, and have affected more than 90,000 blogs so far. The hackers behind the attacks have combed through WordPress accounts and attempted to guess passwords via brute force.
Their program cycles WordPress accounts through 1,000 common passwords. While this tactic is useless against savvy users, enough people utilize easy-to-guess passwords to make it worthwhile for the hackers.
After the hack compromises a user's system, it drafts the blog into a botnet, a collection of compromised systems that communicate with one another and often come in handy for online attacks. Private blogs aren't too useful in this system, but blogs that are housed on web servers are. Servers recruited into the botnet can attack a multitude of machines at once, and grow the system exponentially.
The ultimate goal of the botnet is a mystery; having administrative access to a number of blogs is not that useful in and of itself. However, a network of more than 90,000 compromised machines can wreak all sorts of havoc, especially in denial-of-service attacks.
Matt Mullenweg, a WordPress founder, took to his blog to provide some advice. He explained that hackers had been targeting users who never changed the "admin" username for their account — in retrospect, an obvious security risk. "If you still use 'admin' as a username on your blog, change it," he recommended.
By using a strong password, turning on two-step authentication and updating to the latest version of WordPress software, users will "be ahead of 99 percent of sites out there and probably never have a problem," Mullenweg said.
WordPress.com users would be wise to heed Mullenweg's words, especially when it comes to two-step authentication. This won't benefit the myriad bloggers who use WordPress software and host their work elsewhere, but Mullenweg's other tips will still help.
If your blog has already been compromised, there's not much to do at this point except change your username and password and hope for the best.