djbaxter
Administrator
- Joined
- Jun 28, 2012
- Messages
- 3,778
- Solutions
- 2
- Reaction score
- 1,877
Brute Force Attacks Build WordPress Botnet
Krebs On Security
April 12, 2013
This, as you can see by the dateline, is not a brand new story but it is continuing to grow as a threat, with several hosting services being hit by the botnet in a search for vulnerable WordPress installation, at a rate which amounts to a Disributed Denial of Service attack:
Krebs On Security
April 12, 2013
Security experts are warning that an escalating series of online attacks designed to break into poorly-secured WordPress blogs is fueling the growth of an unusually powerful botnet currently made up of more than 90,000 Web servers.
Over the past week, analysts from a variety of security and networking firms have tracked an alarming uptick in so-called “brute force” password-guessing attacks against Web sites powered by WordPress, perhaps the most popular content management system in use today (this blog also runs WordPress).
According to Web site security firm Incapsula, those responsible for this crime campaign are scanning the Internet for WordPress installations, and then attempting to log in to the administrative console at these sites using a custom list of approximately 1,000 of the most commonly-used username and password combinations.
This, as you can see by the dateline, is not a brand new story but it is continuing to grow as a threat, with several hosting services being hit by the botnet in a search for vulnerable WordPress installation, at a rate which amounts to a Disributed Denial of Service attack:
Indeed, this was the message driven home Thursday in a blog post from Houston, Texas based HostGator, one of the largest hosting providers in the United States. The company’s data suggests that the botnet of infected WordPress installations now includes more than 90,000 compromised sites.
“As I type these words, there is an on-going and highly-distributed, global attack on WordPress installations across virtually every web host in existence,” wrote HostGator’s Sean Valant. ”This attack is well organized and again very, very distributed; we have seen over 90,000 IP addresses involved in this attack.”
HostGator’s Valant urged WordPress administrators to change their passwords to something that meets the security requirements specified on the WordPress website. These requirements are fairly typical of a secure password: upper and lowercase letters, at least eight characters long, and including “special” characters (^%$#&@*). For more on picking strong passwords, see this tutorial. Users can also restrict access to wp-admin so that it is only reachable from specific IP addresses.