Brute force attacks on Wordpress
The Next Web reported earlier on Friday that hosting providers around the world are seeing a substantial increase in brute force attacks against WordPress and Joomla sites, with some hosts seeing as much as triple the volume of attacks as usual. The requests, which are targeted at administrative accounts, appear to be coming from a sophisticated botnet that may be comprised of as many as 100,000 computers, based on the number of unique IP addresses the attacks are coming from.
CloudFlare also began seeing a similar attack earlier this week and corroborated the attacker’s specific methodology with other hosts. CEO Matthew Prince told The Next Web in an interview that he doesn’t remember another brute force attack against WordPress coming anywhere close to the volume the company is seeing right now.
By his estimate, the botnet has the power to test as many as 2 billion password in an hour. That’s based on extrapolating the 60 million requests that CloudFlare has faced across the entire Internet. CloudFlare says its service powers roughly 3% of Web requests.
Joomla sites are also facing some malicious requests, but the bulk of the attack seems to be directed toward WordPress. Prince says that the vast majority of its WordPress customers, which number in the hundreds of thousands, have seen some evidence of the attack.
“Someone has mapped out the WordPress universe and is trying to attack them,” he said.
Yesterday, CloudFlare rolled out a patch to combat the attack, making it available to both free and paid customers and also offering to protect the customers of hosting providers that it works with.
The current threat is a dictionary attack that is coordinated across over 100,000 IP addresses, making it much more difficult to counter since one of the most common levels of protection against brute force attacks is to block repeated attempts from the same IP.
“The attack is spreading it out across all of these different IP addresses,” Prince said. “It’s very hard to detect that it’s one particular source from the attack. Each IP is sending one request each.”
He went on to strongly advise that WordPress users make sure that their passwords, especially for admin accounts, are long and not guessable from a password list. Of course, that’s good advice for just about any password you use, but it’s especially applicable right now.
While it’s difficult to tell what the aggressor is trying to accomplish with this current round of password cracking, the consequences could be disastrous. Prince suggested that the perpetrator could be trying to upgrade a botnet composed of consumer machines into one that is made up of servers. The average infected PC on a home connection isn’t usually able to levy a large distributed denial of service (DDoS) attack because of bandwidth and ISP limitations, but a collection of infected servers could cause serious damage online.
Last year, a brute force attack against Joomla sites created a server-grade botnet, created with a tool called Brobot, that overwhelmed US financial institutions with DDoS attacks.
“If you want to stop the big attacks, it’s incumbent that hosts work on stopping these attacks against WordPress sites,” Prince said, adding that it’s likely that a lot of servers around the world are currently being compromised by the current threat.
One risk is that personal bloggers that set up WordPress installations might not have thought to set up a highly secure password. However, it’s not just the blogger’s posts that are at stake, as the attacker could potentially use the login to gain access to the server, a more valuable prize that could cause even more damage.
The brute force attempts are the latest in a rash of security threats and breaches that have surfaced this year. If there was any doubt before, cyber-security is now a mission-critical issue for any company that comes in contact with the Internet.
- Site Admin
- Posts: 2148
- Location: UK
- Uploads: 22
- Kudos: 60
- CPU: AMD FX6300 - 3.5 Ghz
- GPU: Nvidia GTX 660
- RAM: 8GB
- Storage Space: 750GB
- Sound Card: On board
- Case: Corsair Obsidian 550D