Huge attack on WordPress sites could spawn never-before-seen super botnet (opens in new tab)

WP is a good platform that does a lot out of the box (performance could use some work too though), so I don't think we should throw the baby out with the bathwater. There's just some housekeeping that needs to be taken care of beforehand.

The alternative, of course, is building something custom with the bare minimum of necessities server-side and scrubbing all input/global vars. A lot of flexibility can still be retained by implementing a taxonomy system that define what posts can be (which is pretty much a very loose Entity-Attribute-Value model).

With over 200k different botnet controlled machines, all that tracking the IP sources would do here is create massive blocklists. There's already evidance growing that the botnet is trying 2-3 passwords per source IP - effectively bypassing existing limiting plugins.

A solution to the above is to limit the logins per account per timeframe, but that just locks the legitimate users out, causes the botnet to spread out the attack over longer periods, and ultimately only has a negitive affect for the user.

The Hosts are feeling the pain though, i've seen some hosts are disabling access to wp-login.php entirely, this tells me that the shared hosts are having resource issues, so a limit-login style plugin would do zero to help them, it'd still cause massive problems for the host.

WordPres, Joomla, and other smaller CMS's are being targetted here, so this is by no means just WordPress's problem either.

Two-facor auth just adds to complexity, and that is a bad thing when it comes to secutiry. You want to be able to easily understand that a system is secure. The more complex a system is, the larger the likelyhood of a surprise "whoops, I overlooked that" somewhere down the road.

For 2/3 of the WordPress sites I administer, I use a very long, complex admin password. The other site is for a group that wanted multiple admin accounts, but the people who use these accounts have a lot of trouble with complex passwords. After several emails telling me that "the website doesn't work" because the user had trouble with a long password with special characters, I gave up and switched it to an easy-to-remember password with just uppercase and lowercase letters.

What about non-technical users? Multi-author blogs? Idiot-proof extensibility? Updates from phones and tablets? Huge sites with thousands of posts? Editorial and review systems? Access to thousands of cheap or free themes?

The ideal static site user is in a pretty privileged group. Most WordPress users would be better off securing WordPress and using a caching plugin that gives them the benefits of a powerful, dynamic platform while serving static files with automatic serverside compilation: http://wordpress.org/extend/plugins/wp-super-cache/

WordPress

1) Beginner friendly

- One doesn't need to be a coder or mess with cmd to use it.

- Abundance of tutorial(text/audio/video)

- You can host it anywhere, even for free. FTP? I know that from work.

- Hosting provider even install it for you

- Expert support is all over the web

- Drupal and Joomla can't beat WordPress new user adoption, why? They're made to be customized(more developer-centric). Too much option is apparently not good for new user.

2) Features

- Need something? there's plugin for that

- People/visitors loves nice design/layout, WordPress have thousands of themes

- Secure. Attacked by some random ddos/script kiddies? Hosting provider will take care of it. Malicious code? same case.

Static site generator.

1) Beginner friendly

- Yes, at least if you're familiar with cmd.

- Most tutorial suggesting Amazon S3/CDN/cloud etc. Well those service are inaccessible to many.

- Write new post, generate, upload...complicated!

- Lets embed image/audio/video with one-click...nope!

- Lets edit old blog post... oh why art thou so hard

- Lets try it on my phone, nope!

2) Features

- I want to add Facebook comment, how? Read the manual, download that, configure...blabla. No thanks

- Lets add analytics code. Edit template and insert this javascript, save and regenerate...blabla. No thanks

Conclusion : it might be a piece of cake for you but not to most people. Remember "most user are idiot"?. If I want to have simple static blog with nice editor I would use Blogger. Dumping random text? I have pastebin for that. Static site generator sure is attractive but we are just not there yet.

I have a feeling that 'campaign' to promote static site generator to WordPress user is strikingly similar to Windows-to-Linux campaign. It just never going to happen for most user, at this rate.

I use it pretty much everywhere that I have anything to do with WordPress - I'd noticed an uptick early this week of random ip addresses from far-flung countries getting locked out after 5 login attempts or multiple lost password attempts.

(One site in particular gets a _lot_ of drive-by login attempts - it's got the word "anonymous" in the domain, which I suspect attracts mostly the wrong sort of traffic... Wordfence is locked down _much_ tighter on that site.)

8.5% have the passwords password or 123456;

9.8% have the passwords password, 123456 or 12345678;

14% have a password from the top 10 passwords

40% have a password from the top 100 passwords

79% have a password from the top 500 passwords

91% have a password from the top 1000 passwords

http://xato.net/passwords/more-top-worst-passwords/

Find a good host, use a secure password password, pay attention to the 3rd party plugins you're installing, and keep your install updated.

Then I saw the source for this "news": Cloudflare's blog.

2) WP Better Security

3) WPScan (https://github.com/wpscanteam/wpscan)

Should be sufficient for most small/medium installation