Forgot your password?
typodupeerror
Security Botnet Cloud The Internet

Wordpress Sites Under Wide-Scale Brute Force Attack 110

Posted by Soulskill
from the pressing-all-the-words dept.
New submitter NitzJaaron writes "Some of us have been experiencing attacks on Wordpress sites for the last few days, but it's now beginning to be widely reported that there's a fairly large brute force attack happening on Wordpress users on multiple hosts, including HostGator and LiquidWeb. 'This attack is well organized and again very, very distributed; we have seen over 90,000 IP addresses involved in this attack.' CloudFlare has announced that they're giving all users (free and paid) protection from said attacks with their services. 'The attacker is brute force attacking the WordPress administrative portals, using the username "admin" and trying thousands of passwords.'" Further reports available from Immotion hosting and Melbourne server hosting.
This discussion has been archived. No new comments can be posted.

Wordpress Sites Under Wide-Scale Brute Force Attack

Comments Filter:
  • Seems like..... (Score:3, Insightful)

    by n3tm0nk (2725243) on Friday April 12, 2013 @04:38PM (#43435545)
    something they should have been prepared for in the first place......
    • Re:Seems like..... (Score:5, Informative)

      by jakimfett (2629943) on Friday April 12, 2013 @04:50PM (#43435679) Homepage Journal
      Yet another reason to specify a non-default administrator username in the original install. And to use passphrases instead of passwords. Easier to remember, and there's almost no way to brute force a thirty character password.
      • This.

        Based on the dictionary they're using for this attack, all that's required to thwart it is a capital letter.
      • by pspahn (1175617)

        Doesn't WP allow you to change the admin login URL as well?

      • by schlick (73861)
        And using the google authenticator plugin for 2 factor authentication.
      • Re:Seems like..... (Score:4, Informative)

        by Zamphatta (1760346) on Friday April 12, 2013 @07:55PM (#43437135) Homepage
        And it's another reason to temporarily lock out an account from logging in, if there's too many wrong guesses at the password in a very short period of time. There might be a Wordpress plug-in for something like that, but I don't think it's in Wordpress's core, and it really should be in the core of any web system. It adds tons of security all by itself.
        • And it's another reason to temporarily lock out an account from logging in, if there's too many wrong guesses at the password in a very short period of time. There might be a Wordpress plug-in for something like that, but I don't think it's in Wordpress's core, and it really should be in the core of any web system. It adds tons of security all by itself.

          There are indeed plugins that do this. In fact, I was alerted to a few of my sites being bruteforced from a plugin that does just that. What really helps though, is having a .htpasswd enabled on the wp-admin directory -- I use a plugin for that as well ("AskApache Password Protect"), though admittedly it's not hard at all to implement without the plugin.

        • You should not use plugins to regulate login attempts, at this time. Check the post, below and link to his blog with the reasons why. http://it.slashdot.org/comments.pl?sid=3643255&cid=43436363 [slashdot.org]

          I'd also recommend that people reset their Secret Keys to resalt users' cookies. https://codex.wordpress.org/Editing_wp-config.php#Security_Keys [wordpress.org]

        • This. 100x this. It's the easiest way to block a brute force attack.
        • Apocalypse Meow: http://wordpress.org/extend/plugins/Apocalypse-Meow

          It will not only lock users out if they fail to log in a certain number of times (defined by you but default is 5), but it can remove the meta data that tells people which version of Wordpress you're running (nothing like saying "Hey, hackers, attack me in this manner"), can rename the "admin" account easily, prevent direct PHP script execution of plugins (which might break some plugins so use with caution) and even keeps a log of failed lo

      • Passphrase? Cracking it is called a dictionary attack, it's what almost every password cracking attempt uses anyway. It's just a list of words run against the password, and can be rather easy to crack. SAFE passwords are long enough series of random letters numbers and symbols, something an attempt would have to brute force character by character and thus wouldn't have much of a chance of getting. $57*ghU^61@nm is a far safer password that "Correct Horse Staple Battery" which would easily be crackable in a
        • by rtb61 (674572)

          Dictionary attack fails due to time constraints as the complexity is just as great for completely mixed characters as for a pass phrase as you must guess all the words simultaneously rather than solve one word at a time. Pass phrase is quite simply the best realistic solution as it provides plenty of characters while being easy to remember and from the outside it is still unknown whether you are using any other characters in the pass word hence they still must be checked and PS spaces are never used is pas

        • Passphrase? Cracking it is called a dictionary attack, it's what almost every password cracking attempt uses anyway. It's just a list of words run against the password, and can be rather easy to crack. SAFE passwords are long enough series of random letters numbers and symbols, something an attempt would have to brute force character by character and thus wouldn't have much of a chance of getting. $57*ghU^61@nm is a far safer password that "Correct Horse Staple Battery" which would easily be crackable in a reasonable timeframe. Unfortunately $57*ghU^61@nm is friggen hard to remember. Maybe it's time to find convenient and cheap biometric scanners.

          I think you misunderstand. A brute-force attack on a password is "just" a dictionary attack using letters and symbols as your dictionary instead of English words. There's realistically 26 lower case letters, 26 upper case letters, 10 digits, around 32 symbols, and space (just looking at my keyboard), giving us a set of about 95 to compose our passwords from. According to Oxford Dictionaries [oxforddictionaries.com] there's around 171,476 words in current usage. Even if you constrain to what the average person knows, you've got anyw

      • by radio4fan (304271)

        Good advice.

        But really, there just shouldn't be a default username: you should have to enter your own. This has been standard practice for decades.

        Though I have to concede it works pretty well, WP is truly awful: a tiny bit object-oriented here, a bit finite state machine there; no coherent design at all.

        It's kind-of the PHP of PHP software: Crufty, inelegant, painful to develop with, yet also ubiquitous and loved by clients, who ask for it by name.

        WordPress needs a 100% rewrite by someone who has read a bo

  • I see automated attacks on wordpress sites in the logs all the time.  Same with phpmyadmin and other popular FOSS software.  What else is new?
    • by Anonymous Coward

      What's new is the gigantic scale of it, nothing more. It appears to be one humongous distributed brute-force attack with the power to quite easily take down a server. This is not your average Wordpress brute-force attack.

    • by Anonymous Coward

      What is new is that these attempts are coming from so many IP's simultaneously that it's crashing servers.

  • by interkin3tic (1469267) on Friday April 12, 2013 @04:42PM (#43435589)

    advising all our clients who use WordPress to install an additional plugin 'Limit Login Attempts' that will help to prevent brute force attacks

    Not being familiar with wordpress, I'll ask why isn't that on by default?

    • by preaction (1526109) on Friday April 12, 2013 @04:54PM (#43435713)

      Because it increases the number of support requests dramatically.

    • by sabt-pestnu (967671) on Friday April 12, 2013 @05:00PM (#43435783)

      >>advising all our clients who use WordPress to install an additional plugin 'Limit Login Attempts' that will help to prevent brute force attacks

      > Not being familiar with wordpress, I'll ask why isn't that on by default?

      What could be a simpler way to deny an administrator access to his own account than by a "limit login attempts" that limits attempts on a per-account basis (vs a per-IP address basis)?

      And if the attack is "one attempt per site per zombie", limiting on a per-IP basis has no teeth.

      <ignorant_speculation>Of course, if you have created an admin account that's not NAMED admin, you won't be locked out. And if you change the account named "admin" to having lower privileges, even better.</ignorant_speculation>

      • by Stalks (802193) *
        It would be written in PHP, so trivial to add an exception to your IP.
      • by jkflying (2190798)

        Apparently there are over 90,000 IPs involved in the attacks, so they can effectively test a 90,000 password dictionary before you even see the same IP twice.

      • It can easily be an arbitrary number under 50 and it would still prevent a brute force attack.
    • There is several captcha plugins available, wont help with the DDOS but will help with machines trying to guess passwords. http://rawcell.com [rawcell.com]
  • that the administrative account uses 'administrator' not 'admin'. They'll be attempting that brute force for quite a while.
  • by quixote9 (999874) on Friday April 12, 2013 @05:58PM (#43436271) Homepage
    I've used Wordpress since forever (2006?), and I seem to remember that at least back in the bad old days the admin username had to be "admin." Nothing else. There are probably millions of people who set their blogs up back then and haven't looked at that setting since.

    I wonder what they're doing this for? What does blowing up a planet's worth of little blogs get anyone? Does anyone know what this thing actually does?
    • Gaaa. That subject line should read "username," not password.
    • I saw this same question asked further up the comment line, and I think it's the key. They aren't targeting wordpress blogs. The attacks have to be a smoke screen for *something else*, whatever that something else is. Maybe this is yet another Chinese attack. Maybe it's anonymous (I'll wait while you finish laughing...and yeah, it's not anonymous, they couldn't pull off anything close to this order of magnitude and coordination level), or maybe it's th3j35t3r's evil twin. But it'll be something nasty if/whe
      • I saw this same question asked further up the comment line, and I think it's the key. They aren't targeting wordpress blogs.

        What I think you are referring to is the unique authentication keys and salts. I have had to (reluctantly) fix a client's hacked site because they had set it up without them.

        If there's any newbies here, make sure you replace (WP provides a random generator) the definitions below in wp-config.php:

        /**#@+ * Authentication Unique Keys and Salts.
        *
        * Change these to different unique p

        • Not exactly what I was meaning...but definitely important.

          What I was actually meaning was that the important thing to take out of this is that the wordpress attacks are a smoke screen, a stepping stone, one gear in a machine rolling towards some unknown destination. Whoever is behind this has a plan beyond hacking blogs. The power available to them with this number of compromised machines is vast. Whatever their target is, it's going to get hit really hard.

          I'd be interested in seeing someone do a code ana

    • by thegarbz (1787294)

      A cleaner internet?

    • They're doing it because webservers come with a 15K SAS drive and a 10Gbit ethernet port to send spam out of and launch more attacks. would you rather have some dudes home computer or a web server in a state of the art datacenter? Point being, setting your logins to comon settings has always been a horrible idea just the same way you wouldn't want the lock to your house to open with a key you can buy from homedepot (read, admin//password as your login)
    • They are building a botnet of powerful webservers. We are already seeing them move on from Wordpress blogs, the attacks are not over. The current payloads are primarily spam and attacking other sites (using PHP and Perl scripts injected or uploaded to Wordpress sites), but the main point is to infect as many computers and servers as possible to gain more computing power. Now is a good time to secure your Joomla, Drupla, ZenCart, X-Cart, and even HTML (!) sites. It appears the attackers are now experiment
  • by Call A Developer (2895483) on Friday April 12, 2013 @06:08PM (#43436363)
    I have written a rather detailed article on next steps for anyone affected - which is just about anyone with a Wordpress site. Unfortunately at least 10% of accounts hit have been successfully compromised, and many are being used to send spam or attack other sites. The Global Wordpress Brute Force Attacks of 2013 - http://calladeveloper.blogspot.com/2013/04/global-wordpress-brute-force-attacks.html [blogspot.com] This includes the method to htaccess block direct automated requests for wp-login.php as well. The attackers have gotten around some fairly advanced countermeasures including mod_security rules so all Wordpress site owners should be following these steps.
    • Re: (Score:3, Informative)

      by rduke15 (721841)

      The useful part of that blog post seems to be:

      RewriteEngine on
      RewriteCond %{REQUEST_METHOD} =POST
      RewriteCond %{HTTP_REFERER} !^http://(.*)?.example.com [NC]
      RewriteCond %{REQUEST_URI} ^/wp-login\.php(.*)$ [OR]
      RewriteCond %{REQUEST_URI} ^/wp-admin$
      RewriteRule ^(.*)$ - [R=403,L]

      (The logic makes sense. I haven't tested the syntax yet)

      It also suggests an insane 30-character password abomination:

      for example the relatively strong password: th1$l1ttl3p1ggy$3cur3dth31rW0rdpr3$$$1t3 is simply "thislittlepiggysecuredtheirWordpresssite" with i->1, s->$, e=3, and o->0 (zero)

      I prefer "wrong chicken battery staple [xkcd.com]", which is probably not in attacker's dictionnary.

      • Re: (Score:1, Interesting)

        You mean "correct horse battery staple" and unfortunately that is terrible advice - any password under 50 characters made of only lowercase letters will be broken by the most basic brute force. And their dictionary is impressive, we've been pulling the POSTDATA and checking what they are doing. The rotation of usernames in itself is scary - even non "admin" users are not protected. This is why I suggest a 30 character password and in fact you should be using a similar method to generate your admin username
        • by Algae_94 (2017070)

          any password under 50 characters made of only lowercase letters will be broken by the most basic brute force.

          The fact that the password is only lowercase letters is immaterial for a brute force attack. Unless the attacker already knows that the password is only lowercase letters, they will try guesses with numerals and symbols. It is very hard to imagine a brute force attack that would try every combination of lowercase letters up to 50 characters without trying anything with uppercase, numerals, or symbols, but even if they do it isn't a reason to worry.

          If they did try to brute force just lowercase, there are 5

          • by jkflying (2190798)

            The thing is, they won't be using a pure brute force but rather a 'directed' brute force through some sort of markov-chain implementation. So if you use standard English words and grammar the number of bits of random data in your password is dramatically reduced.

        • by rduke15 (721841)

          You mean "correct horse battery staple"

          .

          No, I meant another animal, just in case the person who did the dictionary is an xkcd fan, and put that in for fun.

          But for the number of characters, I think you may have to revisit your math, as other have already pointed out. And this is an online attack, which severely limits the speed anyway (not the speed of trying, but the speed of getting a reply from the server).

  • Wordpress allowa for a space in the username which is nice and seems more unlikely to be guessed :)
  • I've found the "Better WP Security" plugin to be pretty good at stopping all of this. You can set login limits, 404 limits, etc., and have it automatically deny offenders IP addresses from accessing your site by modifying the site's root .htaccess file. But even it doesn't cover everything.

    Many WP attackers probe for themes and plugins with known weaknesses, or exploit the upload system to upload executables. But what most people don't know (including most WP developers I've worked with) is that
  • The root cause of this attack is that Wordpress allows unlimited login attempts for the admin account. I know there is some plugin that can fix it, but it should be built into the core.

  • And the blog I run is for my church. He said he did not know how this happened. Someone hacked a blog running an unpatched Drupal blog. This is what he said, anyway. Then used that breach to hack everything else. Since I could not determine what had been hacked/changed on the church blog, (user accounts wee created that I did not create!) I wiped it, deleted all the databases and started from scratch. So it isn't just crappy blogs - although if you happen to be a godless nerd you may think my church blog is crappy anyway.... B-) I support your right to be a godless nerd.
    • Your user name... you don't happen to live in the Mount Pocono area, do you?
      • Nope. East Stroudsburg. Used to fix PC's on the side a while back. Hence the name.
        • by Gazzonyx (982402)
          Huh, small world. I grew up on the Stroudsburg/Bartonsville line and went to Pocono Mountain. But I left there in 2004. There used to be a couple of computer shops in the area, but I think they're mostly gone now.
    • Then used that breach to hack everything else. Since I could not determine what had been hacked/changed on the church blog, (user accounts wee created that I did not create!) I wiped it, deleted all the databases and started from scratch. So it isn't just crappy blogs - although if you happen to be a godless nerd you may think my church blog is crappy anyway....

      Exactly. Sounds like a 14-year-old on a power trip. No worries, there will be a few companies that may hire him as a white hat. That is, if he's sm

      • The part that bothered me was the hosting provider admitting that he thought this could not be done. To his credit, he seems to have updated everything and there have been no issues since. I think this was his wake up call, that could not assume that a Linux based server is invincible. Every time a patch is rolled out, unless servers are updated, the kiddie scripters load up and see who they can hack and wack.
  • I ended up making some tiny changes to my WP install that basically causes requests to /wp-admin to die immediately, unless you're accessing it via a specific HTTP port that I've opened in Apache specifically for this purpose.

    I've got disk permissions set up so that the regular Apache user cannot write at all to the disk - a common source of WP problems seems to be exploits writing new files to disk, so stopping that seemed like a good idea. Unfortunately it also bones a lot of WP functionality like being a

  • all articles either are not saying what is the purpose or just talking about creating a zombienet for future use, but one wordpress I know of got hacked just 2 weeks ago by brute-forcing his way in, then someone was able to install a plugin call "boss" which was the r57shell and with this script, was able to put new files in the blog which was serving 7727 websites with a virus when someone visited their site and didn't had flash. The virus in question was the trojan Meredrop, so the wordpress got hacked an
  • " CloudFlare has announced that they're giving all users (free and paid) protection from said attacks with their services." - and there's the meat of this whole post. Like the "Unprecedented DNS attacks" from a couple of weeks ago, if you follow the trail of this article it is nothing but a press release from CloudFlare designed to whip everyone into a frenzy and buy their product to protect them. - 90,000 hosts? Haven't we seen attacks with half a million or more hosts?

God made machine language; all the rest is the work of man.

Working...