Thousands of hacked WordPress sites used in global scale attacks

Pierluigi Paganini September 26, 2013

Thousands of WordPress based websites have been hacked to compose a global scale botnet that is performing powerful DDOS attacks.

I start the post with recommendations, if you are a blogger using WordPress don’t waste time and update it and all installed plugins to the latest versions!

Have you done it? OK, now I can explain you what it is happening.

Thousands of WordPress blogs have been hacked to compose a global scale botnet that is performing powerful DDOS attacks.

We read in the past of a massive cyber attack coordinated with a huge botnet against millions of websites based on the popular CMS WordPress, around 100000 servers were successful compromised fueling the malicious architecture used for the attack.

The news was reported by CloudFlare and HostGator that on April alerted the WordPress community on the ongoing massive attack launched against WordPress blogs all over the Internet, the alert was related to a massive brute-force dictionary-based attack conducted to expose the password for the ‘admin’ account of every WordPress site.

In August, 2013 researchers at Arbor Networks have discovered a botnet dubbed Fort Disco  that was used to compromise more than 6000 websites based on popular CMSs such as WordPress, Joomla and Datalife Engine.

My colleagues at TheHackerNews received a DDOS attack logs report from ‘Steven Veldkamp‘ that highlights that the victim’s website was under heavy DDoS attack recently, originated from numerous compromised WordPress based websites. It is highly probably that the ongoing attack is linked to the events occurred in April that allowed attackers to take control of a high number of vulnerable WordPress Hosts.

The attacks are very concerning due to the botnet extension and the high performance of bots. The offensive is conducted on a global scale and appears highly distributed in nature and well organized, for these reasons it is very difficult to block malicious traffic.

WordPress Massive DDoS attack
The attack logs from timing 23/Sep/2013:13:03:13 +0200 to 23/Sep/2013:13:02:47 +0200 revealed that just in 26 second attacker was able to perform a powerful DDOS attack from 569 unique compromised WordPress.
The list of sources used by attackers includes blogs of Mercury Science and Policy at MIT,  Stevens Institute of Technology and The Pennsylvania State University.
According to statistics proposed by WP WhiteSecurity, from 40,000+ WordPress Websites in Alexa Top 1 Million, more than 70% of WordPress installations are vulnerable to hacker attacks.
 WordPress vulnerability statistics
Following other shocking statistics based on the analysis of  42,106 WordPress websites found in Alexa’s top 1 million websites.
  • 74 different versions of WordPress were identified.
  • 11 of these versions are invalid. For example version 6.6.6.
  • 18 websites had an invalid non existing versions of WordPress.
  • 769 websites (1.82%) are still running a subversion of WordPress 2.0.
  • Only 7,814 websites (18.55%) upgraded to WordPress 3.6.1.
  • 1,785 websites upgraded to version 3.6.1 between the 12th and the 15th of September.
  • 13,034 websites (30.95%) are still running a vulnerable version of WordPress 3.6.
It is important to remark that the availability of automated vulnerability assessment tools and DIY attack tools on the black market is causing a meaningful increase in the number of cyber attacks.
Owners of Website based on WordPress CMS must improve at least basic security settings and implement best practices such as the use of robust passwords and the accurate management of  “admin” accounts.
Within the WordPress community are also already available interesting plugins that could help site managers to improve the security of their WordPress instance.
If you believe that the security of a WordPress based site has a limited impact on the Internet community you are wrong, the crocks could use the hacked platforms for various illegal activities …. we must stop them!

Pierluigi Paganini

(Security Affairs –  WordPress, DDoS, cybercrime)


you might also like

leave a comment