Over the past few days many security sites and web hosts around the world reported that a WordPress brute force attack was under way. Brute force meaning the attacks are attempts to find users that have weak passwords and outdated installations. Once the attacker has found a WordPress account with a weak password, it’s used to gain access to the administration panel. At that point, that site can be used in a variety of ways, but it is no longer controlled by the legitimate site owner.There are many articles on the subject out there, some of them detailed and very specific but here is one that seems to give sufficient details without getting overly specific.
What that means is that here on this site, I have had to make some changes. Login attempts have been limited to two. After two failed login attempts, there must be a twenty minute wait before attempting to login again. I changed password to something far more difficult and encourage anyone else who uses a WP site to do the same.
Lastly, on the advice of the webhost we use for this domain, all other users have been changed to contributors, meaning that they can no longer do their own publishing on the site. As an author, you can get access to the control panel in some form, which is to be avoided at this point. This last part is a temporary solution, one that needs to be revisited in the next week or so.