There is currently a highly distributed, global attack taking place against WordPress installations everywhere. The attack is one of the more organised we have seen and is creating a high volume of accesses against wp-login URLs across our network. The attack is designed to compromise servers running WordPress so that they can become part of a large remote controlled “botnet” that can be used by criminals to disrupt the internet.
For this reason, we urge our users to ensure that any WordPress user accounts, especially those with admin/editor/contributor access have their passwords reset to one that meets or exceeds the recommendations shown on the WordPress website. A good password should be a non-repeating string at least 8 characters long that includes upper and lower case letters, numbers and special characters.
While we are taking steps to mitigate the attacks at the network level, there is only so much we can do. If your installation has a weak password, it will remain at risk.
There is little information regarding the precise nature of the WordPress exploit that intend to use, so again, it is important that you ensure your WordPress installation, theme and plugin files are all up to date.
As we hear more, we will post it here.
In the short term, we recommend this plugin (although we cannot accept any liability for any problems it may cause):
This will refuse login attempts from any IP address that fails to login correctly more than a handful of times.
You can also restrict access to your WordPress login screen by adding an extra layer of security using the webserver’s built in password protection facility. This is described in our support website here: