History has shown that Wordpress developers prioritise shiny new features over all other concerns.

Yep, I have to develop 'WordPress sites' sometimes and the only consistency is its awfulness. It's the PHP of PHP.

Having a default username in the first place is incredibly poor practice. So many users stick to 'admin', making it just a case of guessing the password.

And don't get me started on that bloody "the loop" finite state machine. I mean, really?

I actually find Wordpress to be much lighter and cleaner than many other CMS systems. It's impressive to me that the code is relatively consistent despite going through years of iterations. I also find the plugin mechanics of Wordpress to be simple to understand. It's got plenty of room for improvement but I think it's got a lot of good qualities too.

It has been consistent, all right. Consistently terrible. For years.

Every time I duck under the hood to debug something I always come away stunned and disturbed by the frequent use of globals, the frequent interleaving of different concerns and basically the all-round untraceability of the design as soon as themes or plugins are added. It's horrid.

Oh! And there are still no unit or functional tests. And no concept of release management (such as having security patches released independently of feature patches), which is why every Wordpress administrator gets to play their favourite game when there's a new release: continue with known-security-flaw code, or install code that might just blow away your data?

Place yer bets, place yer beeeets!

Yeah that hits home. I build Wordpress websites daily and also manage a number of them which are years old and I had no hand in making. Pressing that update button on some of these sites really is like russian roulette.

Not sure of the quality of it but Wordpress does have automated test suite: http://make.wordpress.org/core/handbook/automated-testing/ https://unit-tests.svn.wordpress.org/trunk. Do you have any experience with those?

Well I am happy to eat my hat on this one, with a side of crow.

Well the entire style of WordPress uses the global namespace for everything so you do have to get over that shock. But, once you do there's a kinda simplicity to the whole thing. That's my impression anyway.

"It's the PHP of PHP" - quote of the year.

That's usually the first mod done for clients who insist on using WP. For a few clients specifically, we don't let any users set their passwords at all; they get a randomly generated password upon registering or reset;

WP is a good platform that does a lot out of the box (performance could use some work too though), so I don't think we should throw the baby out with the bathwater. There's just some housekeeping that needs to be taken care of beforehand.

The alternative, of course, is building something custom with the bare minimum of necessities server-side and scrubbing all input/global vars. A lot of flexibility can still be retained by implementing a taxonomy system that define what posts can be (which is pretty much a very loose Entity-Attribute-Value model).

Which particular plugin would you recommend?

I've been using Better WP Security, one of the two linked in the article, and have nothing but good things to say. And the developer is on top of it.

Ditto for BWPS. You always want to pick plugins where the developers are actively participating in the community and regularly staying on top of any potential security issues.

http://www.wordfence.com/ here. Implemented it ever since I started noticing these attacks.

Unfortunately it doesn't look like that would do any good here.

With over 200k different botnet controlled machines, all that tracking the IP sources would do here is create massive blocklists. There's already evidance growing that the botnet is trying 2-3 passwords per source IP - effectively bypassing existing limiting plugins.

A solution to the above is to limit the logins per account per timeframe, but that just locks the legitimate users out, causes the botnet to spread out the attack over longer periods, and ultimately only has a negitive affect for the user.

The Hosts are feeling the pain though, i've seen some hosts are disabling access to wp-login.php entirely, this tells me that the shared hosts are having resource issues, so a limit-login style plugin would do zero to help them, it'd still cause massive problems for the host.

WordPres, Joomla, and other smaller CMS's are being targetted here, so this is by no means just WordPress's problem either.

I get what you're saying but if the default setup were to rate-limit per-account logins, there'd be little reason for these botnets to do what they're doing. They don't want to block admin access to their CMS. They want to have actual access. Effective rate-limiting per-account would kill the effectiveness of their efforts.

Indeed a massive pain. I've been getting alerts from dreamhost regarding increased memory usage. I have http://www.wordfence.com/ installed and my blocklist only increases.