Brute Force Attacks Build WordPress Botnet

[djbaxter]

Brute Force Attacks Build WordPress Botnet
Krebs On Security
April 12, 2013

Security experts are warning that an escalating series of online attacks designed to break into poorly-secured WordPress blogs is fueling the growth of an unusually powerful botnet currently made up of more than 90,000 Web servers.

Over the past week, analysts from a variety of security and networking firms have tracked an alarming uptick in so-called “brute force” password-guessing attacks against Web sites powered by WordPress, perhaps the most popular content management system in use today (this blog also runs WordPress).

According to Web site security firm Incapsula, those responsible for this crime campaign are scanning the Internet for WordPress installations, and then attempting to log in to the administrative console at these sites using a custom list of approximately 1,000 of the most commonly-used username and password combinations.

This, as you can see by the dateline, is not a brand new story but it is continuing to grow as a threat, with several hosting services being hit by the botnet in a search for vulnerable WordPress installation, at a rate which amounts to a Disributed Denial of Service attack:

Indeed, this was the message driven home Thursday in a blog post from Houston, Texas based HostGator, one of the largest hosting providers in the United States. The company’s data suggests that the botnet of infected WordPress installations now includes more than 90,000 compromised sites.

“As I type these words, there is an on-going and highly-distributed, global attack on WordPress installations across virtually every web host in existence,” wrote HostGator’s Sean Valant. ”This attack is well organized and again very, very distributed; we have seen over 90,000 IP addresses involved in this attack.”

HostGator’s Valant urged WordPress administrators to change their passwords to something that meets the security requirements specified on the WordPress website. These requirements are fairly typical of a secure password: upper and lowercase letters, at least eight characters long, and including “special” characters (^%$#&@*). For more on picking strong passwords, see this tutorial. Users can also restrict access to wp-admin so that it is only reachable from specific IP addresses.

 

[djbaxter]

This is just one recent example from today:

Multiple Servers Instability/Outages due to WordPress attacks
A Small Orange Hosting Status Updates
January 16, 2014

Today, multiple servers have undergone a few heavy WordPress brute force attacks which are caused instability for some servers and a heavy load on those servers services, leading to some outages and pockets of downtime. Our Tech team is continuing to work on filtering and shielding these servers from these attacks.

As servers are affected, we will post the servers here. Today, we have seen attacks against Merle, Morrow, Franklin, and Drrockso. Currently, all ASO servers appear stable though we do have some indications the attack itself as a whole is not fully over.

For more information about this type of attack, why it is perpetrated, and what it's ultimate goal is you can read this article, which explains in layman's terms the attack, and its affect on web servers. Brute Force Attacks Build WordPress Botnet — Krebs on Security

We again encourage you to utilize best practices with your WordPress site, which include:

• choosing a username other than admin
• choosing a secure password: Selecting a Strong*Password — Support — WordPress.com
• restricting access to wp-admin: Hardening WordPress ? WordPress Codex
• ensuring your WordPress is always up to date