There’s been a spate of attacks against WordPress highlighted last month by WordPress (Matt Mullenweg) and continuing to affect hosts this month (DreamHost in my case, May 11, 12, 13, 14 etc.). Bringing down services and sites. Brute force attacks by robot agents attempting automated logins to hack into WordPress accounts and their hosts.
I did my duty last month and tightened-up all my WordPress account admin user ID’s and Passwords, and I’ve always kept my WordPress version up to date (and as Matt suggests, I’ve never been hacked so far as I can tell, touch wood), but in fact there are a whole host of “hardening” recommendations to tighten up WordPress security. I think I will at least set a plug-in to limit and reject multiple automated login attempts, but there are many more housekeeping measures. WordPress and DreamHost (and BlueHost, GoDaddy, etc) need to highlight these to ALL their users. (Of course once trolls do get even partial admin access inside such accounts, then the brute-force login traffic is the least of our concerns.)
The issue is not that WordPress (or DreamHost) are particularly insecure or incompetent, just that so much of the world’s web traffic goes through WordPress pages – something like 20% (or over 20% of the top million, depending whose stats are most current & reliable). Not surprisingly at least that proportion of troll hacking attempts are targetting WordPress.
There is a tendency to think “why would my little old web site be targetted” – why would anyone waste their time hacking me for anything other than mischievous nuisance reasons, but of course that is the wrong way to look at it. Every site is a potential back door to the hosts’ networks. Which means that the hosts need to take responsibility sure, but so do WordPress users. Even if you’re not using WordPress, your host is hosting many users who are, so the service you get (and give) is affected by this issue. We’re all in this together – it’s like “barn-raising” to quote Matt.
Make sure you (and any friends who are WordPress users) act to help secure your sites and your hosts.