Hosting providers around the world are seeing a massive increase in brute force attacks against WordPress and Joomla sites. Attackers are looking to gain access to and compromise accounts, but failing that, they are slowing down their targets or even rendering them unavailable as they exhaust the sitesâ€™ resources.
Melbourne Server Hosting is reporting that it has seen signs over the past 48 hours of increased attempts, while Immotion Hosting has noted they are coming from a large amount of IP addresses spread across the world. This would suggest the attackers are using a botnet to break in; HostGator has said at least 90,000 computers are involved while CloudFlare has noted it â€śmore than tens of thousands of unique IP addressesâ€ť are being used.
- December 2012: 678,519 login attempts blocked.
- January 2013: 1,252,308 login attempts blocked.
- February 2013: 1,034,323 login attempts blocked.
- March 2013: 950,389 login attempts blocked.
- April 2013: 774,104 login attempts blocked for the first 10 days.
The top five user names being attempted are admin, test, administrator, Admin, and root. The top five passwords being attempted are admin, 123456, 666666, 111111, and 12345678. Obviously, if you are using any common user name or password, you should change it immediately.
In other words, Sucuri has been seeing 30 to 40 thousand attacks per day for the last few months, but this month that number has increased to 77,000 per day on average. In the last few days, the firm says the figure has reached more than 100,000 per day, meaning the number of brute force attempts has more than tripled.
For those who donâ€™t know, a botnet refers to a group of computers (sometimes called zombies) that have been infected with malware to perform tasks for whomever distributed said threat. This individual, or organization, controls the botnet by sending instructions to the zombies from one or more Command & Control (C&C) servers.
A brute-force attack, meanwhile, refers to the systematic checking of all possible passwords (or just popular ones) until the correct password is found. A botnet is not required, but can help in the process as multiple computers can be used to check different combinations and avoid triggering multiple attempt limits.
While these attacks against popular content management systems are nothing new, the sudden increase is a bit worrying. Until the botnet in question is taken down, however, there is not much that can be done aside from ensuring you are taking every precaution. That includes using a solid username and password combination as well as ensuring your CMS and plugins are up-to-date.
Update:Â WordPress creator Matt Mullenweg hasÂ released a statementÂ regarding the issue:
Almost 3 years ago we released a version of WordPress (3.0) that allowed you to pick a custom username on installation, which largely ended people using â€śadminâ€ť as their default username. Right now thereâ€™s a botnet going around all of the WordPresses it can find trying to login with the â€śadminâ€ť username and a bunch of common passwords, and it has turned into a news story (especially from companies that sell â€śsolutionsâ€ť to the problem).
Hereâ€™s what I would recommend: If you still use â€śadminâ€ť as a username on your blog,Â change it, use aÂ strong password, if youâ€™re on WP.comÂ turn on two-factor authentication, and of course make sure youâ€™re up-to-date on the latest version of WordPress. Do this and youâ€™ll be ahead of 99% of sites out there and probably never have a problem. Most other advice isnâ€™t great â€” supposedly this botnet has over 90,000 IP addresses, so an IP limiting or login throttling plugin isnâ€™t going to be great (they could try from a different IP a second for 24 hours).
See also -Â Brute force attacks on WordPress continue as CloudFlare fends off 60m requests in 1 hourÂ andÂ Researchers warn of bulk WordPress and Joomla exploit tool serving fake antivirus malware to users
Top Image Credit: linusb4