Attacks Seen on WordPress Sites — Is Your Online Business Vulnerable?

Man with hammer hacking on site with WordPress inside

There is a lot of buzz on the Internet this week about WordPress-based websites coming under attack. Leading tech sites, news feeds and other respectable sources are reporting on what is by far the largest onslaught on blogs and websites using the WordPress platform.

(Image credits: Man with hammer, House – 123RF Stock Photos; WordPress logo – WordPress; Composite image: Sublime Success Pte. Ltd.)

This write-up is adapted from an article which appeared on, titled ‘Botnet Attacks Seen on WordPress Sites – “admin” Login Targetted’. Used with permission.

Under Attack: Websites Using WordPress

In fact, as early as on April 11th, web hosting provider Hostgator sounded the alarm on seeing a massive and highly-distributed global attack on WordPress installations. Their blog post mentioned that the attack had actually begun a week earlier, died off slightly, but is now seen picking up steam.

No one knows when it’ll end, a view echoed by many like Zack Whittaker on ZDNet and Cloudflare’s CEO, Matthew Prince (as reported by the BBC here).

Why Target WordPress?

As the BBC said in their report, WordPress powers about 17% of the world’s websites according to W3Techs, a survey website. Add to that the 64 million sites hosted at and you can see why hackers could have a field day trying to crack them.

Vulnerabilities are inadvertently found in software. Most times, these will be discovered later and fixed by upgrading to the latest version. (As of this writing, Version 3.5.1 is the latest for WordPress.) Many of us using the Windows OS know the need to keep up with the latest, especially when security loopholes are being plugged.

WordPress Users Are Lax on Security

In this particular attack, hackers are exploiting a basic weakness: users tend to use the default “admin” user name when setting up a new WordPress installation. They have an easier way in, needing to focus only on guessing passwords. And they know a lot of people are lazy and opt for easy-to-remember passwords.

So that’s what the hackers could be doing: looking for easy-to-crack WordPress sites that are lax in security. With their large online network, they could quickly discover many vulnerable websites to infiltrate and exploit. No one knows what they’ll do with them though, and this is what makes it particularly worrisome.

This Concerns Everyone!

Cyber attacks are a big concern for everyone online. They are capable of disrupting Internet service by causing denial of service, for example. A mere flooding of online traffic coming from a large network of diverse computer installations can put Web servers at their mercy and pull everything online to a screeching halt.

The implications on operations which depend on online connectivity and access — security, transportation, financial markets, businesses, etc. — is profound. As such, the current WordPress attack cannot be dismissed as trivial.

Are Your Web Properties Secured?

Does your business use websites based on WordPress? Chances are it does, so how secure are they? Are you guilty of using simple user names and easy-to-guess passwords? Isn’t it high time you beef things up?

Prevention Is Better Than Cure

Unfortunately, hackers can’t be stopped completely. The nature of how software is developed and deployed inadvertently creates opportunities for the clever but sly to utilize it for their own gains. At the best, all we can do is to protect our online properties with the most secure lock and key available.

Prevention is definitely better than cure in this case. No one wants to have to clean up a compromised website and try to restore it back to its former glory — even a paid webmaster would dread this. More importantly, you can’t afford your online business to go down and choke your income stream.

What You Can Do

If you are serious about safeguarding your web properties, speak with a qualified marketer who not only knows about online business but technical aspects as well. At the very least, your arsenal should include strong user authentication, scheduled system backups and WordPress-related upgrades. Advanced safeguards are available to harden websites.

While there are no guarantees that your beefed-up websites won’t become targets, at least you’d have raised the level of difficulty enough to deter many hackers. Die-hards may persist longer but the lure of so many unprotected sites out there would distract them mostly.

Sadly, this could mean that your competitors may become easier targets as attackers go elsewhere looking for weaker locks to break. By no means should you view this as your competitive advantage; rather, it’s just prudent to have sufficient insurance, even for web properties.