At about 1 p.m. this afternoon the security company behind the WordFence plugin for WordPress issued a security advisory via email informing users of their plugin that WordPress sites are currently under a brute force attack.
“As of 11am eastern time this morning we are monitoring the largest distributed brute force attack on WordPress installations that we’ve seen to date. The real-time attack map on www.wordfence.com became so busy that we’ve had to throttle the amount of traffic we show down to 4% of actual traffic.
“A brute force attack is when an attacker tries many times to guess your username password combination by repeatedly sending login attempts. A distributed brute force attack is when an attacker uses a large number of machines spread around the internet to do this in order to circumvent any blocking mechanisms you have in place.”
The best way to defend a site against a brute force attack is to use a security plugin such as Wordfence to limit the number of failed login attempts before that IP address is locked out for a specified amount of time. WordPress sites should also not have an administrative account with the username “admin.”
Here at FOSS Force we have verified the attack by looking our own logs. During the past hour we’ve experienced several hundred failed attempts to log into our WordPress install.
Forewarned is forearmed.