“WordPress has been attacked by a botnet of ‘tens of thousands’ of individual computers since last week, according to server hosters CloudFlare and HostGator”
A load of meaningless jargon? Not so fast Sonny Jim. Jargon – I’ll give you that – but the meaning might just become all too clear for a huge number of people.
Granted, at first glance the above quote, as it appeared on the BBC News website on Monday, may not mean an awful lot to most people.
However, nearly a fifth of the world’s websites are built in WordPress. If yours is one of them it might just create a massive problem for you.
As with all modern websites, administrators on WordPress need to log in to make any changes – whether it is to simply add a blog post or to overhaul the whole front page – and they tend to use ‘admin’ as a username to access the site.
However, hackers know this, which gives them a massive head start. How? Watch out, there’s some maths winging its way to you in the very near future.
All access requires a username and password. If there are, say, one million different usernames each with, say, one million different possible passwords then you have a billion combinations to guess at. And that’s a good old-fashioned UK billion – never mind those paltry tight-fisted US billions.
However, if you assume that ‘admin’ is the username then the number of combinations hackers need to try falls dramatically, back to a measly runt-like million.
Needless to say, you’ve probably got better things to do than sit in front of a computer trying a million passwords – even if you are an evil hacker. But, if you have a botnet, you won’t need to.
Beating the botnets: Safeguarding your site from attack
A botnet is an army of computers that has been taken over by hackers to perform shady tasks – for example hacking your WordPress account.
This latest attack had ‘tens of thousands’ of PCs whirring away trying to access various sites.
At one password guess a second, one computer would take around about 11.5 days to guess your password. Ten thousand computers, on the other hand, would take roughly a minute and a half. The cheeky little monkeys.
So how can you protect yourself against this type of attack? Firstly, change your username! This attack focused on the ‘admin’ username as it is so common.
Rare usernames are tougher nuts to crack – in our example even the evil botnet would need to plug away for three years before it had its wicked way with you.
Of course, it is also good policy to make sure your password is hard to guess too. This doesn’t need to be too much hassle – see here for details: http://xkcd.com/936/.
If you want to beef up security further, WordPress has recently added a two-step authentication process http://en.blog.wordpress.com/
If you are worried about your website’s security or any web-related issues contact us at firstname.lastname@example.org. We’d be only too happy to offer some free help or advice.