Wordpress users are being advised by its founder, Matt Mullenweg, to update their security settings following sustained botnet attack involving ‘tens of thousands’ of computers.
The attack, which has been ongoing for a week, targets individual accounts where the username has defaulted to admin, bombarding them with thousands of popular passwords to gain access.
Some 17 percent of the world’s websites are currently powered by Wordpress, the equivalent of 64m separate sites, which gives an indication of the true scale of the problem.
Mullenweg wrote on his blog: “Almost 3 years ago we released a version of WordPress (3.0) that allowed you to pick a custom username on installation, which largely ended people using “admin” as their default username. Right now there’s a botnet going around all of the WordPresses it can find trying to login with the “admin” username and a bunch of common passwords, and it has turned into a news story (especially from companies that sell “solutions” to the problem).
"Here's what I would recommend: If you still use 'admin' as a username on your blog, change it, use a strong password.”