This might be helpful:

[gist.github.com...]

This is serious. A 90,000 IP address botnet is at work in the brute force attack.

According to Web site security firm Incapsula, those responsible for this crime campaign are scanning the Internet for WordPress installations, and then attempting to log in to the administrative console at these sites using a custom list of approximately 1,000 of the most commonly-used username and password combinations.

[krebsonsecurity.com...]

Also, make sure none of your admin accounts use the username "admin".

Also, make sure none of your admin accounts use the username "admin".

And doesn't have a password of "password"!

You can also add the following to your htaccess file inside your public_html directory which will then protect all the Wordpress websites under that folder.

Only catch is, if your IP address changes, you'll need to modify that one htaccess file before you can log into your Wordpress sites. Small price to pay for additional security of many Wordpress installations.

<files wp-login.php>
order deny,allow
Deny from all
allow from 1.2.3.4
</files>

Password protect your WP login page! It's one of many, many improvements you can make to harden wordpress, against brute force attacks, DoS attacks, scannerz and scraperz and bots zombiez and vampirez etc.

on the command line:

> htpasswd -c /path/to/web/root/.wplogin your_name

then put this in your .htaccess:

<FilesMatch "wp-login.php">
AuthName "Restricted Access"
AuthType Basic
AuthUserFile /path/to/web/root/.wplogin
require valid-user
</FilesMatch>

There are lots of wicked tutorials on the interweb explaining how to do that better than I have.

Make it look like you site is not running wordpress, or better yet, don't use wordpress! I don't lose any sleep over wordpress because I am not running it.

I can't help feeling good luck to them, so many wordpress sites created as feeder link sites or just pure dross you gotta think they deserve to be hacked!

If you still use WordPress saying "I told you so" would be redundant so instead I'll say "I informed you thusly".

It's a good time to think about using WordPress hosting separate from your server or Drupal, something that takes the crosshairs off your site.

>> crosshairs

It doesn't matter what CMS you use, someone's out there looking for ways to hack it.

It doesn't matter what CMS you use, someone's out there looking for ways to hack it.

That would be incorrect as I'm going out on a limb that some developers think more about security and do more code review than others which is the risk of Agile development in that things ship before it's safe to ship because things literally aren't thought out as well as it's the nature of the beast by definition.

Ah.. as far as code development goes - yes, I agree with that. And because of popularity of WP, the likelyhood of bad code being released is greater and therefore a larger attraction to hackers. So the focus/attraction is larger for WordPress sites than it would be on, say a Drupal site or homegrown CMS.

My multi-user CMS has 30,000 active members, and over 300,000 pages, and every content page accepts comments without a captcha, even from from anonymous users.

My secret? It's my own software, and it's not worth hackers' time to write a bot or deploy a botnet for my one-of-a-kind website.

I've considered switching to Wordpress MU in the past. It's times like this that make all the extra work worth it.

According to my hosting company, this attack is "ongoing". It is coming in waves and besides just messing with wordpress, this is tantamount to a DDOS attack and is holding up other traffic, even to your html sites. Sunday morning the attack lessened and sales became brisk, but it picked up heavy by noon and blasted servers all day. People sat on pages that took way too long to load so they bailed.

Can't say it's much worse than Googlebot who has also been hammering our server, accounting for over 50% of today's traffic.

If one argues that people shouldn't use Wordpress because its popularity makes it a target, one should also argue against the use of Windows PCs for the same reason, if one wishes to appear consistent. ;)

Wordpress out of the box is not without vulnerabilities - just like a PC without virus software. But in both cases, there's a lot you can do to make them more secure. You just have to be aware there's a problem, find out what you need to do, and then do it.

Comparing WordPress to Windows is a bit silly as MS spends many millions on security and since Windows Vista/7/8 has made huge strides to clean up their act and for the first time ever wasn't on the top 10 vulnerability lists while Apple finally made those lists. They may get a lot of flack but Windows isn't the problem most of the time, it's all the other stuff people run on Windows causing the problems such as Java, etc. Likewise, Linux servers when configured properly are pretty dang secure until you install something like WordPress on the server. For the most part it's almost always the 3rd party software that allows hackers to gain access to the OS, not the OS itself, yet the OS takes the heat for their 'vulnerability' which is nonsense.

WordPress, to the best of my knowledge, has never spent that kind of cash and resources to secure their software or we probably wouldn't be having this conversation. People shouldn't have to waste time trying to harden WordPress as it should ship as hardened as possible but that isn't the case. The areas of vulnerability aren't that great in the out-of-the-box product and a team of engineers could harden the heck out of the default product and stop the madness yet it never happens.

Not that I'm a security expert nor do I play one on TV but I do know what's blatantly bad coding practice and what's good coding practice and you can't afford to ever cut corners and be sloppy as someone out there will be waiting for that golden opportunity to prove not only are they smarter than you, but they have all your customer's credit card numbers and have already sold them to the Russians! :)

If Wordpress where that vulnerable, the current attackers would probably not do a brute force attack on passwords but try to find and then use an exploit in the source code.

They are not targeting Wordpress but stupid users who use "admin" as username and a dictionary word as password.

Our servers crashed last week after a load of attempts to login to our Wordpress. As mentioned here, we password protected our Wordpress login for added security

However, since we put in place the password protection, we got a notice from Google webmaster tool about "Increase in authorization permission errors". GWT was reporting errors in the form of

wp-login.php?redirect_to=http%3A%2F%2Fwww.DOMAIN.com%2FCATEGORY%2FPOSTNAME

We've done this in the past when we had a massive attack, and Google did not raise a fit. So we had to remove the password protection in the meantime to appease the google gods. The authorization permission errors stopped climbing up, but stagnated (we were hoping it would go down).

Alika, that's too bad.

One of my hosts took it upon themselves to secure the shared servers against these attacks. They do a really good job of educating Wordpress users on how to be secure, but then they also take responsibility for it at the server level.

If you do a search, you can find blogs reporting what usernames and passwords the attack is targeting. If you don't use any of them (and you shouldn't), you should be safe. That said, some of the passwords the hackers are using were very strong and bizarre, which no one understands at this point (no one I've read anyway).

We've done this in the past when we had a massive attack, and Google did not raise a fit. So we had to remove the password protection in the meantime to appease the google gods.

When would you let Google crawl your admin pages?

That's insane.

One should avoid using common username "admin". Use a combination of alpha numeric and special symbols while creating password and username.

I did this way

location /wp-login.php {
 valid_referers site.ru;
 if ($invalid_referer) {
 return 444;
 }
}

I'm seeing evidence of the botnet attack - straightup uname/pwd attempts. But I also see an increase in injection attacks as well. Both started about the same time - last Friday.

There always hacking the .htaccess file!

I don't lose any sleep over wordpress because I am not running it.

That pretty much sums up my attitude.

I have some fond memories of early versions of wordpress, mostly because they spent time on making the software's interface usable. On the security front, they've, unfortunately, have always seemed to be a step behind.

When would you let Google crawl your admin pages?

Googlebot does not want to crawl the admin pages. It is complaining that the login page is crawlable: it is probably linked to from the rest of the site if its a typical WP theme.

THis problem is not a flaw is WP. Its a brute force attack that works on people who pick bad passwords. The only fault in WP was using the default username "admin".

it is probably linked to from the rest of the site if its a typical WP theme.

Login page is not linked to from the rest of the site. It's a highly customized WP theme and we made sure we don't link the login page anywhere

Which begs the question of why Googlebot was trying to crawl it at all.

If you do a search, you can find blogs reporting what usernames and passwords the attack is targeting.

If you do a search and don't word your query exactly right, you will instead find loads of useful and informative discussions on how to change, recover or reset a forgotten password via assorted ventures into the sql database.

For a given definition of "change", "recover" etc. anyway.

Don't some people deal with crawler authorization issues by using the "Satisfy any" construct, meaning that a visitor has to either log in or be the Googlebot?