“The attacker is brute force attacking the WordPress administrative portals, using the username “admin” and trying thousands of passwords,” read the company’s blog.
WordPress developer Matt Mullenweg later acknowledged the problem on his own blog, detailing steps users could take to further protect their accounts.
His primary suggestion said users should “change” their usernames and no longer use “Admin,” something initially made default before WordPress 3.0.
Meanwhile, Mullenweg also suggested using a “strong” password” along with activating “two-factor authentication” if users have WordPress.com accounts.
The botnet is reportedly active by utilizing 90 thousand IP addresses. There are more than 60 million WordPress websites worldwide.