Here is a great article that’s been making the round regarding the hows and whys of the recent WordPress attack and what you can do to prevent their success:
There is a very real, very large ongoing attack against WordPress sites. It has been going on for a while now, but it severely escalated last week.
While there is a lot of chatter about this situation around the web, I thought I should write this post for two reasons: 1) not everyone in our community follows all of the WordPress and tech news and 2) most of the coverage has been either extremely technical or very light on details and recommendations. My goal in this post is to not only inform you about what is happening but why it is happening and what you can do about it.
The details of the attack has been covered far and wide. Hostgator was one of the first big names to break the news about the attack with their Global WordPress Brute Force Flood post. The WordPress security team at Sucuri has as series of blog posts about the topic covering how to protect your site, the reality of the attacks, and the consequences of such attacks. Security blog Krebs on Security has a good post covering the topic in depth.
The short and simple explanation of what is happening is that one or more illegal botnets (a network of hundreds, thousands, or millions of compromised computers that are being exploited to perform attacks, send spam, etc) are being used to brute-force attack WordPress sites. The goal of a brute force attack is to try as many username and password combinations as possible in order to find valid login credentials. It’s as if someone was trying to guess the combination on a combination lock, but rather than being limited to a single guess every few seconds, they could make hundreds or thousands of guesses a second while never getting tired.
Read the full article on iThemes.com.