Wordpress website targeted by hackers
Wordpress has been attacked by a botnet of "tens of thousands" of individual computers since last week, according to server hosters Cloudflare and Hostgator.
source: BBC News
The botnet targets Wordpress users with the username "admin", trying thousands of possible passwords.
The attack began a week after Wordpress beefed up its security with an optional two-step authentication log-in option.
The site currently powers 64m websites read by 371m people each month.
According to survey website W3Techs, around 17% of the world's websites are powered by Wordpress.
"Here's what I would recommend: If you still use 'admin' as a username on your blog, change it, use a strong password," wrote Wordpress founder Matt Mullenweg on his blog.
He also advised adopting two-step authentication, which involves a personalised "secret number" allocated to users in addition to a username and password, and ensuring that the latest version of Wordpress is installed.
"Most other advice isn't great - supposedly this botnet has more than 90,000 IP addresses, so an IP-limiting or login-throttling plugin isn't going to be great (they could try from a different IP [address] a second for 24 hours)," Mr Mullenweg added.
Matthew Prince, chief executive and co-founder of Cloudflare, said that the aim of the attack might have been to build a stronger botnet.
"One of the concerns of an attack like this is that the attacker is using a relatively weak botnet of home PCs in order to build a much larger botnet of beefy servers in preparation for a future attack," he wrote in a blog post.
"These larger machines can cause much more damage in DDoS [Distributed Denial of Service] attacks because the servers have large network connections and are capable of generating significant amounts of traffic," he added.