We’re seeing an unusually large WordPress attack underway. Our automated alert system triggered and posted to FB and Twitter earlier today. The attack is visible on http://www.wordfence.com/ and as you can see it is peaking at 40,000 attacks per minute currently. Normal attack frequency is around 2000 attacks per minute.
The attack started at 7:30 AM Pacific Time this morning. It is still underway. The nature of the attack is a large botnet that is generating a huge number of failed WordPress login attempts.
We recommend ensuring that all your WordPress admin accounts are using strong passwords, that you have Wordfence installed and the number of login failures set to 20 or less on the Wordfence options page.
You should have “Count login failures over what time period” set to 5 minutes and “Amount of time a user is locked out” set to 1 hour. An hour may not seem like much, but it will effectively defeat a password guessing attack.
We also recommend you enable “Participate in the Real-Time WordPress Security Network” because this will immediately lock out any attacks from the Botnet that is responsible for the current attack.
Please share this info if you have friends and colleagues that use WordPress to ensure they stay safe and secure.