WordPress has been attacked by a botnet of “tens of thousands” of individual computers since last week, according to server hosters Cloudflare and Hostgator.
The botnet targets WordPress users with the username “admin”, trying thousands of possible passwords.
The attack began a week after WordPress beefed up its security with an optional two-step authentication log-in option.
The site currently powers 64m websites read by 371m people each month.
According to survey website W3Techs, around 17% of the world’s websites are powered by WordPress.
“Here’s what I would recommend: If you still use ‘admin’ as a username on your blog, change it, use a strong password,” wrote WordPress founder Matt Mullenweg on his blog.
He also advised adopting two-step authentication, which involves a personalised “secret number” allocated to users in addition to a username and password, and ensuring that the latest version of WordPress is installed.
“Most other advice isn’t great – supposedly this botnet has more than 90,000 IP addresses, so an IP-limiting or login-throttling plugin isn’t going to be great (they could try from a different IP [address] a second for 24 hours),” Mr Mullenweg added.
Matthew Prince, chief executive and co-founder of Cloudflare, said that the aim of the attack might have been to build a stronger botnet.
“One of the concerns of an attack like this is that the attacker is using a relatively weak botnet of home PCs in order to build a much larger botnet of beefy servers in preparation for a future attack,” he wrote in a blog post.
“These larger machines can cause much more damage in DDoS [Distributed Denial of Service] attacks because the servers have large network connections and are capable of generating significant amounts of traffic,” he added.