The WordPress ecosystem appears to facing its worst ever coordinated brute force attack. Content delivery network CloudFlare says it blocked 60 million requests against its WordPress customers in a single hour.
The Next Web reported earlier on Friday that hosting providers around the world are seeing a substantial increase in brute force attacks against WordPress and Joomla sites, with some hosts seeing as much as triple the volume of attacks as usual. The requests, which are targeted at administrative accounts, appear to be coming from a sophisticated botnet that may be comprised of as many as 100,000 computers, based on the number of unique IP addresses the attacks are coming from.
All Killer, No Filler
We’re bringing Momentum to New York: our newest event, showcasing only the best speakers and startups.
CloudFlare also began seeing a similar attack earlier this week and corroborated the attacker’s specific methodology with other hosts. CEO Matthew Prince told The Next Web in an interview that he doesn’t remember another brute force attack against WordPress coming anywhere close to the volume the company is seeing right now.
By his estimate, the botnet has the power to test as many as 2 billion password in an hour. That’s based on extrapolating the 60 million requests that CloudFlare has faced across the entire Internet. CloudFlare says its service powers roughly 3% of Web requests.
Joomla sites are also facing some malicious requests, but the bulk of the attack seems to be directed toward WordPress. Prince says that the vast majority of its WordPress customers, which number in the hundreds of thousands, have seen some evidence of the attack.
“Someone has mapped out the WordPress universe and is trying to attack them,” he said.
Yesterday, CloudFlare rolled out a patch to combat the attack, making it available to both free and paid customers and also offering to protect the customers of hosting providers that it works with.
The current threat is a dictionary attack that is coordinated across over 100,000 IP addresses, making it much more difficult to counter since one of the most common levels of protection against brute force attacks is to block repeated attempts from the same IP.
“The attack is spreading it out across all of these different IP addresses,” Prince said. “It’s very hard to detect that it’s one particular source from the attack. Each IP is sending one request each.”
He went on to strongly advise that WordPress users make sure that their passwords, especially for admin accounts, are long and not guessable from a password list. Of course, that’s good advice for just about any password you use, but it’s especially applicable right now.
While it’s difficult to tell what the aggressor is trying to accomplish with this current round of password cracking, the consequences could be disastrous. Prince suggested that the perpetrator could be trying to upgrade a botnet composed of consumer machines into one that is made up of servers. The average infected PC on a home connection isn’t usually able to levy a large distributed denial of service (DDoS) attack because of bandwidth and ISP limitations, but a collection of infected servers could cause serious damage online.
Last year, a brute force attack against Joomla sites created a server-grade botnet, created with a tool called Brobot, that overwhelmed US financial institutions with DDoS attacks.
“If you want to stop the big attacks, it’s incumbent that hosts work on stopping these attacks against WordPress sites,” Prince said, adding that it’s likely that a lot of servers around the world are currently being compromised by the current threat.
One risk is that personal bloggers that set up WordPress installations might not have thought to set up a highly secure password. However, it’s not just the blogger’s posts that are at stake, as the attacker could potentially use the login to gain access to the server, a more valuable prize that could cause even more damage.
The brute force attempts are the latest in a rash of security threats and breaches that have surfaced this year. If there was any doubt before, cyber-security is now a mission-critical issue for any company that comes in contact with the Internet. Prince put it this way:
If the 2000s were all about Windows being inadequately secure and the problems that creates, the 2010s are going to turn out to be about server software being incorrectly secured and all the problems that ends up creating.
One silver lining in this round of attacks is that its sheer magnitude has caused hosts to work together on it. Hostgator was one of the first to go public with information about this week’s incident. Moving forward, it’d be great to see providers and cloud services communicate more about the patterns they’re seeing. Prince said CloudFlare is looking into sharing a database of the bonnet’s IP addresses with other industry members.
“From our perspective, the attacks like this are felt industry wide, so it’s great when hosts can work together like this to solve these issues,” he said.
Update: WordPress creator Matt Mullenweg has released a statement regarding the issue:
Almost 3 years ago we released a version of WordPress (3.0) that allowed you to pick a custom username on installation, which largely ended people using “admin” as their default username. Right now there’s a botnet going around all of the WordPresses it can find trying to login with the “admin” username and a bunch of common passwords, and it has turned into a news story (especially from companies that sell “solutions” to the problem).
Here’s what I would recommend: If you still use “admin” as a username on your blog, change it, use a strong password, if you’re on WP.com turn on two-factor authentication, and of course make sure you’re up-to-date on the latest version of WordPress. Do this and you’ll be ahead of 99% of sites out there and probably never have a problem. Most other advice isn’t great — supposedly this botnet has over 90,000 IP addresses, so an IP limiting or login throttling plugin isn’t going to be great (they could try from a different IP a second for 24 hours).
Image credit: iStockphoto