Hosting providers around the world are seeing a massive increase in brute force attacks against WordPress and Joomla sites. Attackers are looking to gain access to and compromise accounts, but failing that, they are slowing down their targets or even rendering them unavailable as they exhaust the sites’ resources.
Melbourne Server Hosting is reporting that it has seen signs over the past 48 hours of increased attempts, while Immotion Hosting has noted they are coming from a large amount of IP addresses spread across the world. This would suggest the attackers are using a botnet to break in; HostGator has said at least 90,000 computers are involved while CloudFlare has noted it “more than tens of thousands of unique IP addresses” are being used.
- December 2012: 678,519 login attempts blocked.
- January 2013: 1,252,308 login attempts blocked.
- February 2013: 1,034,323 login attempts blocked.
- March 2013: 950,389 login attempts blocked.
- April 2013: 774,104 login attempts blocked for the first 10 days.
The top five user names being attempted are admin, test, administrator, Admin, and root. The top five passwords being attempted are admin, 123456, 666666, 111111, and 12345678. Obviously, if you are using any common user name or password, you should change it immediately.
In other words, Sucuri has been seeing 30 to 40 thousand attacks per day for the last few months, but this month that number has increased to 77,000 per day on average. In the last few days, the firm says the figure has reached more than 100,000 per day, meaning the number of brute force attempts has more than tripled.
For those who don’t know, a botnet refers to a group of computers (sometimes called zombies) that have been infected with malware to perform tasks for whomever distributed said threat. This individual, or organization, controls the botnet by sending instructions to the zombies from one or more Command & Control (C&C) servers.
A brute-force attack, meanwhile, refers to the systematic checking of all possible passwords (or just popular ones) until the correct password is found. A botnet is not required, but can help in the process as multiple computers can be used to check different combinations and avoid triggering multiple attempt limits.
While these attacks against popular content management systems are nothing new, the sudden increase is a bit worrying. Until the botnet in question is taken down, however, there is not much that can be done aside from ensuring you are taking every precaution. That includes using a solid username and password combination as well as ensuring your CMS and plugins are up-to-date.
Update: WordPress creator Matt Mullenweg has released a statement regarding the issue:
Almost 3 years ago we released a version of WordPress (3.0) that allowed you to pick a custom username on installation, which largely ended people using “admin” as their default username. Right now there’s a botnet going around all of the WordPresses it can find trying to login with the “admin” username and a bunch of common passwords, and it has turned into a news story (especially from companies that sell “solutions” to the problem).
Here’s what I would recommend: If you still use “admin” as a username on your blog, change it, use a strong password, if you’re on WP.com turn on two-factor authentication, and of course make sure you’re up-to-date on the latest version of WordPress. Do this and you’ll be ahead of 99% of sites out there and probably never have a problem. Most other advice isn’t great — supposedly this botnet has over 90,000 IP addresses, so an IP limiting or login throttling plugin isn’t going to be great (they could try from a different IP a second for 24 hours).
See also - Brute force attacks on WordPress continue as CloudFlare fends off 60m requests in 1 hour and Researchers warn of bulk WordPress and Joomla exploit tool serving fake antivirus malware to users
Top Image Credit: linusb4