WordPress is a very popular platform for *MANY* blogs on the Internet. This website and blog (SKoenemann.com) is actually based on WordPress. Over the last week or so, security firms and network hosting companies have seen a huge increase in the number of “brute-force” password attacks directed at sites using this very popular blogging platform. There are, just in case you are wondering, over 70 million WordPress sites either being hosted at WordPress.com or being self-hosted on other servers around the world… so it is no wonder why WordPress is such a popular target for hackers.
This particular attack is being propagated from a very powerful “botnet” of over 90,000 Web servers; most of them added to the botnet when compromised by this attack. A botnet is typically a collection of servers under some sort of central command & control mechanism and is most commonly used to mount attacks like this one or other “unusual” and possibly illegal activities; normally associated with compromising a Web site or stealing personal information. Botnet attacks, of course, can also be used effectively to attack sites other than those running the WordPress blogging software.
When being attack by this botnet, if the administrative password for an attacked WordPress site is guessed correctly by the “bot”, the site is immediately compromised by loading “backdoor” software onto the site that allows the site to be controlled remotely through the botnet. This “zombie” site is then used to attack other WordPress sites that it can find on the Internet. As I had indicated, the botnet already consists of more than 90,000 compromised WordPress sites and that number is still growing rapidly. Some Web hosting providers have reported that they have had to handle the traffic from as many as 60 million of these attacks already and this number is also escalating rapidly as the botnet continues to grow.
There are lots of ways that the administrator of a WordPress site can protect it from all sorts of attacks; primarily through better security practices and the use of sophisticated software, some of which is free for the taking. If you host your own WordPress site, good security practice starts with a correct installation of the WordPress software. The WordPress.org site provides good instructions on how to do this. There are a lot of other good articles at this site and at other sites that give additional instructions for further hardening your WordPress installation. It is always best to used a “layered” security protection scheme… protecting your site in multiple ways to ensure that it has adequate protection and is “hole-free”… keeping in mind, of course, that there is no such thing as a site that is 100% secure!
I use both good security practices and several good security softwares on all of my WordPress installations. The security software is configured to inform me when a variety of different types of attacks and/or security-related events occur… and I can tell by the emails I get that my WordPress sites are under attack from all over the world. These attacks include everything from attempts to drop “comment spam”… to some of these brute force password attacks… to SQL injection attacks directed at my databases. I have done my homework though and, so far, nothing has gotten past the defenses I have put into place to protect these sites. In the meantime, I’ll keep these sites fully patched and updated… I’ll continue to be vigilant and reactive… and I’ll definitely be keeping my fingers crossed!
To read more about these WordPress attacks and some things you should do if your own WordPress site has been compromised by one of these attacks (means to identify is also mentioned), you can go to… https://krebsonsecurity.com/2013/04/brute-force-attacks-build-wordpress-botnet/