WordPress sites under massive brute-force attack

Any owner of WordPress site is shaking causes of the threat that someone could steal its credentials, everybody would do well to ask themselves if their passwords are really strong and to make sure to don’t use as username the word “admin.”

The reports published by CloudFlare and HostGator revealed a massive attack being launched against WordPress blogs all over the Internet, the alert is related to a massive brute-force dictionary-based attack that could expose the password for the ‘admin’ account of every WordPress site.

“At this moment, we highly recommend you log into any WordPress installation you have and change the password to something that meets the security requirements specified on the WordPress website. These requirements are fairly typical of a secure password: upper and lowercase letters, at least eight characters long, and including “special” characters (^%$#&@*).”Hostgator recommended to its users.

CloudFlare CEO Matthew Prince revealed to the Tech Crunch web site that the attackers used a botnet composed of about 100,000 bots  and almost every WordPress site on its networks has been attacked.

The position of HostGator is not different, the company revealed a structured attack that originated at least from 90,000 different machines.

According Sucuri study:

“As you can see from our numbers, we were seeing 30 to 40 thousand attacks per day the last few months. In April 2013, it increased to 77,000 per day on average, reaching more than 100,000 attempts per day in the last few days.” 

The situation is critical for various reasons, the exposure of WordPress password could open the doors to the attacker that could hit the web site targeted and in case the password is shared between various web services he could gather the access to further precious information.

CloudFlare experts believe that attackers are still arranging their offensive trying to recruit new machine and building a larger botnet to involve a further attack, the security team is convinced that the botnet is actually composed by Home PCs having reduced capabilities.

Hosting providers of all the world are implementing measures to protect their assets and customers against the attacks, a good defense could be for example the installation of a plug in that limit the number of login attempts from the same source (e.g. Wordfence Security) and of course it is suggested to adopt strong passwords.

WordPress founder Matt Mullenweg declared that another good measure to mitigate the attack is the change of ‘admin’ username.

It’s not first time that hackers hit the popular WordPress, in 2012 a flaw in outdated version of TimThumb, a php script for cropping, zooming and resizing web images used as the default by many WordPress templates exposed the community to a serious threat.

It’s also suggested to all site hosted on WordPress.com to activate two-factor authentication to improve overall security, other good practices are the use .htaccess to protect the admin area and rename of login pages.

Pierluigi Paganini

(Security Affairs – Hacking)