Categories: HackingSecurity

WordPress sites under massive brute-force attack

Any owner of WordPress site is shaking causes of the threat that someone could steal its credentials, everybody would do well to ask themselves if their passwords are really strong and to make sure to don’t use as username the word “admin.”

The reports published by CloudFlare and HostGator revealed a massive attack being launched against WordPress blogs all over the Internet, the alert is related to a massive brute-force dictionary-based attack that could expose the password for the ‘admin’ account of every WordPress site.

“At this moment, we highly recommend you log into any WordPress installation you have and change the password to something that meets the security requirements specified on the WordPress website. These requirements are fairly typical of a secure password: upper and lowercase letters, at least eight characters long, and including “special” characters (^%$#&@*).”Hostgator recommended to its users.

CloudFlare CEO Matthew Prince revealed to the Tech Crunch web site that the attackers used a botnet composed of about 100,000 bots  and almost every WordPress site on its networks has been attacked.

The position of HostGator is not different, the company revealed a structured attack that originated at least from 90,000 different machines.

According Sucuri study:

“As you can see from our numbers, we were seeing 30 to 40 thousand attacks per day the last few months. In April 2013, it increased to 77,000 per day on average, reaching more than 100,000 attempts per day in the last few days.” 

The situation is critical for various reasons, the exposure of WordPress password could open the doors to the attacker that could hit the web site targeted and in case the password is shared between various web services he could gather the access to further precious information.

CloudFlare experts believe that attackers are still arranging their offensive trying to recruit new machine and building a larger botnet to involve a further attack, the security team is convinced that the botnet is actually composed by Home PCs having reduced capabilities.

Hosting providers of all the world are implementing measures to protect their assets and customers against the attacks, a good defense could be for example the installation of a plug in that limit the number of login attempts from the same source (e.g. Wordfence Security) and of course it is suggested to adopt strong passwords.

WordPress founder Matt Mullenweg declared that another good measure to mitigate the attack is the change of ‘admin’ username.

It’s not first time that hackers hit the popular WordPress, in 2012 a flaw in outdated version of TimThumb, a php script for cropping, zooming and resizing web images used as the default by many WordPress templates exposed the community to a serious threat.

It’s also suggested to all site hosted on WordPress.com to activate two-factor authentication to improve overall security, other good practices are the use .htaccess to protect the admin area and rename of login pages.

Pierluigi Paganini

(Security Affairs – Hacking)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Pwn2Own Berlin 2025 Day Two: researcher earned 150K hacking VMware ESXi

On day two of Pwn2Own Berlin 2025, participants earned $435,000 for demonstrating zero-day in SharePoint,…

10 hours ago

New botnet HTTPBot targets gaming and tech industries with surgical attacks

New botnet HTTPBot is targeting China's gaming, tech, and education sectors, cybersecurity researchers warn. NSFOCUS …

11 hours ago

Meta plans to train AI on EU user data from May 27 without consent

Meta plans to train AI on EU user data from May 27 without consent; privacy…

20 hours ago

AI in the Cloud: The Rising Tide of Security and Privacy Risks

Over half of firms adopted AI in 2024, but cloud tools like Azure OpenAI raise…

22 hours ago

Google fixed a Chrome vulnerability that could lead to full account takeover

Google released emergency security updates to fix a Chrome vulnerability that could lead to full…

23 hours ago

Nova Scotia Power discloses data breach after March security incident

Nova Scotia Power confirmed a data breach involving the theft of sensitive customer data after…

1 day ago