Wordpress Brute Force Protection wordpress brute force protection reviews WordPress' big selling point is simplicity of use. That suggests it has enormous appeal right at the bottom end of the marketplace. Down at this level, even in 2013, sites are generally bit more than fixed brochureware that gets updated rarely, if at all. With nothing to change, the sites' owners do not log into WordPress, so they don't see the software upgrade notices. Or if they do, they don't know exactly what they imply. This is where businesses hesitate to invest even a thousand dollars on a site, so asking them to shell out more cash for "repair and maintenance" is a wild-goose chase-- exactly what visible distinction does it make? Besides, they'll state, they have somebody who "takes care of" their site. WordPress has been a boon for them. Its multitudinous complimentary or economical styles and plugins make it possible to construct a suitable internet site with plenty of functionality without having to dirty their hands with actual code. Forgive me, for I will dedicate the sin of extrapolating from individual experience, but in nearly 2 decades, I have yet to experience a "web designer" with halfway-decent security practices- by which I imply developing a different login for each human rather than a generic "admin" account, developing strong passwords, not recycling passwords, deleting unused accounts, and not blithely emailing a business' master internet hosting password to any sub-contractor who might require temporary access. Indeed, many of those I've encountered have purposely set the WordPress admin password (or its comparable in pre-WordPress days) to be exactly the exact same as their customer's hosting account master password, their domain registry password, the login on their COMPUTER, and everything else in sight to "make it easier"-- because that gets rid of those irritating "I have actually lost my password" support calls. WordPress is now the device of choice for these individuals, and they've constructed millions of WordPress websites. As I compose this, the WordPress download counter informs me that 17,594,130 people have downloaded the current WordPress version 3.5 and, erm, counting. Over at the stats page, a rather alarming pie chart tells us that variation 3.5 accounts for only 30.5 percent of running WordPress installations. More than two-thirds of WordPress installations are running versions with known protection vulnerabilities? A password-guessing botnet would be the least of our fears. While CloudFlare was chatting up this attack, Sucuri Safety was talking it down. They were seeing "just" around three times the number of password-guessing efforts they normally see.
Could it be just a trial, or the calm before a much bigger storm? My impression is that WordPress websites are generally hacked as part of black-hat online search engine optimisation (SEO) operations, generating links to their masters' sites for the extra Googlejuice, without effort to compromise the hosting account or the server it operates on. Most low-end WordPress websites run on servers with plenty of extra ability. "Apparently, someone is developing a powerful botnet of jeopardized WordPress accounts that is likely to be utilized in a much larger attack," stated a relatively sober post at Threatpost, though they include one proviso: "Some specialists are speculating.".