The WordPress ecosystem appears to facing its worst ever coordinated brute force attack. Content delivery network CloudFlare says it blocked 60 million requests against its WordPress customers in a single hour.
The Next Web reported earlier on Friday that hosting providers around the world are seeing a substantial increase in brute force attacks against WordPress and Joomla sites, with some hosts seeing as much as triple the volume of attacks as usual. The requests, which are targeted at administrative accounts, appear to be coming from a sophisticated botnet that may be comprised of as many as 100,000 computers, based on the number of unique IP addresses the attacks are coming from.
CloudFlare also began seeing a similar attack earlier this week and corroborated the attackerβs specific methodology with other hosts. CEO Matthew Prince told The Next Web in an interview that he doesnβt remember another brute force attack against WordPress coming anywhere close to the volume the company is seeing right now.
By his estimate, the botnet has the power to test as many as 2 billion password in an hour. Thatβs based on extrapolating the 60 million requests that CloudFlare has faced across the entire Internet. CloudFlare says its service powers roughly 3% of Web requests.
Joomla sites are also facing some malicious requests, but the bulk of the attack seems to be directed toward WordPress. Prince says that the vast majority of its WordPress customers, which number in the hundreds of thousands, have seen some evidence of the attack.
βSomeone has mapped out the WordPress universe and is trying to attack them,β he said.
Yesterday, CloudFlare rolled out a patch to combat the attack, making it available to both free and paid customers and also offering to protect the customers of hosting providers that it works with.
The current threat is a dictionary attack that is coordinated across over 100,000 IP addresses, making it much more difficult to counter since one of the most common levels of protection against brute force attacks is to block repeated attempts from the same IP.
βThe attack is spreading it out across all of these different IP addresses,β Prince said. βItβs very hard to detect that itβs one particular source from the attack. Each IP is sending one request each.β
He went on to strongly advise that WordPress users make sure that their passwords, especially for admin accounts, are long and not guessable from a password list. Of course, thatβs good advice for just about any password you use, but itβs especially applicable right now.
While itβs difficult to tell what the aggressor is trying to accomplish with this current round of password cracking, the consequences could be disastrous. Prince suggested that the perpetrator could be trying to upgrade a botnet composed of consumer machines into one that is made up of servers. The average infected PC on a home connection isnβt usually able to levy a large distributed denial of service (DDoS) attack because of bandwidth and ISP limitations, but a collection of infected servers could cause serious damage online.
Last year, a brute force attack against Joomla sites created a server-grade botnet, created with a tool called Brobot, that overwhelmed US financial institutions with DDoS attacks.
βIf you want to stop the big attacks, itβs incumbent that hosts work on stopping these attacks against WordPress sites,β Prince said, adding that itβs likely that a lot of servers around the world are currently being compromised by the current threat.
One risk is that personal bloggers that set up WordPress installations might not have thought to set up a highly secure password. However, itβs not just the bloggerβs posts that are at stake, as the attacker could potentially use the login to gain access to the server, a more valuable prize that could cause even more damage.
The brute force attempts are the latest in a rash of security threats and breaches that have surfaced this year. If there was any doubt before, cyber-security is now a mission-critical issue for any company that comes in contact with the Internet. Prince put it this way:
If the 2000s were all about Windows being inadequately secure and the problems that creates, the 2010s are going to turn out to be about server software being incorrectly secured and all the problems that ends up creating.
One silver lining in this round of attacks is that its sheer magnitude has caused hosts to work together on it. Hostgator was one of the first to go public with information about this weekβs incident. Moving forward, itβd be great to see providers and cloud services communicate more about the patterns theyβre seeing. Prince said CloudFlare is looking into sharing a database of the bonnetβs IP addresses with other industry members.
βFrom our perspective, the attacks like this are felt industry wide, so itβs great when hosts can work together like this to solve these issues,β he said.
Update: WordPress creator Matt Mullenweg has released a statement regarding the issue:
Almost 3 years ago we released a version of WordPress (3.0) that allowed you to pick a custom username on installation, which largely ended people using βadminβ as their default username. Right now thereβs a botnet going around all of the WordPresses it can find trying to login with the βadminβ username and a bunch of common passwords, and it has turned into a news story (especially from companies that sell βsolutionsβ to the problem).
Hereβs what I would recommend: If you still use βadminβ as a username on your blog, change it, use a strong password, if youβre on WP.com turn on two-factor authentication, and of course make sure youβre up-to-date on the latest version of WordPress. Do this and youβll be ahead of 99% of sites out there and probably never have a problem. Most other advice isnβt great β supposedly this botnet has over 90,000 IP addresses, so an IP limiting or login throttling plugin isnβt going to be great (they could try from a different IP a second for 24 hours).
See also β Researchers warn of bulk WordPress and Joomla exploit tool serving fake antivirus malware to users
Image credit: iStockphoto
Get the TNW newsletter
Get the most important tech news in your inbox each week.