Hosting providers around the world are seeing a massive increase in
brute force attacks against WordPress and Joomla sites. Attackers are
looking to gain access to and compromise accounts, but failing that,
they are slowing down their targets or even rendering them unavailable
as they exhaust the sites’ resources.
Melbourne Server Hosting is
reporting that it has seen signs over the past 48 hours of increased attempts, while
Immotion Hosting has
noted
they are coming from a large amount of IP addresses spread across the
world. This would suggest the attackers are using a botnet to break in;
HostGator has
said at least 90,000 computers are involved while CloudFlare has
noted it “more than tens of thousands of unique IP addresses” are being used.
Sucuri, a security firm that blocks various types of Internet attacks,
reports that it has also seen a notable increase. The company shared the following data points:
- December 2012: 678,519 login attempts blocked.
- January 2013: 1,252,308 login attempts blocked.
- February 2013: 1,034,323 login attempts blocked.
- March 2013: 950,389 login attempts blocked.
- April 2013: 774,104 login attempts blocked for the first 10 days.
The top five user names being attempted are admin, test,
administrator, Admin, and root. The top five passwords being attempted
are admin, 123456, 666666, 111111, and 12345678. Obviously, if you are
using any common user name or password, you should change it
immediately.
In other words, Sucuri has been seeing 30 to 40 thousand attacks per
day for the last few months, but this month that number has increased to
77,000 per day on average. In the last few days, the firm says the
figure has reached more than 100,000 per day, meaning the number of
brute force attempts has more than tripled.
For those who don’t know, a botnet refers to a group of computers
(sometimes called zombies) that have been infected with malware to
perform tasks for whomever distributed said threat. This individual, or
organization, controls the botnet by sending instructions to the zombies
from one or more Command & Control (C&C) servers.
A brute-force attack, meanwhile, refers to the systematic checking of
all possible passwords (or just popular ones) until the correct
password is found. A botnet is not required, but can help in the process
as multiple computers can be used to check different combinations and
avoid triggering multiple attempt limits.
While these attacks against popular content management systems are
nothing new, the sudden increase is a bit worrying. Until the botnet in
question is taken down, however, there is not much that can be done
aside from ensuring you are taking every precaution. That includes using
a solid username and password combination as well as ensuring your CMS
and plugins are up-to-date.
Almost 3 years ago we released a version of WordPress (3.0)
that allowed you to pick a custom username on installation, which
largely ended people using “admin” as their default username. Right now
there’s a botnet going around all of the WordPresses it can find trying
to login with the “admin” username and a bunch of common passwords, and
it has turned into a news story (especially from companies that sell
“solutions” to the problem).
Here’s what I would recommend: If you still use “admin” as a username on your blog, change it, use a strong password, if you’re on WP.com turn on two-factor authentication,
and of course make sure you’re up-to-date on the latest version of
WordPress. Do this and you’ll be ahead of 99% of sites out there and
probably never have a problem. Most other advice isn’t great —
supposedly this botnet has over 90,000 IP addresses, so an IP limiting
or login throttling plugin isn’t going to be great (they could try from a
different IP a second for 24 hours).