Wordpress Sites Under Wide-Scale Brute Force Attack

New submitter NitzJaaron writes "Some of us have been experiencing attacks on Wordpress sites for the last few days, but it's now beginning to be widely reported that there's a fairly large brute force attack happening on Wordpress users on multiple hosts, including HostGator and LiquidWeb. 'This attack is well organized and again very, very distributed; we have seen over 90,000 IP addresses involved in this attack.' CloudFlare has announced that they're giving all users (free and paid) protection from said attacks with their services. 'The attacker is brute force attacking the WordPress administrative portals, using the username "admin" and trying thousands of passwords.'" Further reports available from Immotion hosting and Melbourne server hosting.

Seems like.....

[n3tm0nk]

something they should have been prepared for in the first place......

Re:Seems like.....

[jakimfett]

Yet another reason to specify a non-default administrator username in the original install. And to use passphrases instead of passwords. Easier to remember, and there's almost no way to brute force a thirty character password.

Re:Seems like.....

As a host, you simply cannot vet everything an unmanaged customer uploads to their account or dedicated server. With Wordpress' security history though, you'd think that some relevant security features would have been rolled into every release by now.

Re:Seems like.....

[DougOtto]

This.

Based on the dictionary they're using for this attack, all that's required to thwart it is a capital letter.

Re:Seems like.....

[pspahn]

Doesn't WP allow you to change the admin login URL as well?

Re:Seems like.....

Also don't use standard directory structure like /wordpress/ or /blog/

Re:Seems like.....

[DougOtto]

Unfortunately, no. It is, however, easy enough to protect with .htaccess

Re:Seems like.....

[Electrawn]

No, the wp-admin folder is rather hard coded.

Re:Seems like.....

[schlick]

And using the google authenticator plugin for 2 factor authentication.

Re:Seems like.....

And using the google authenticator plugin for 2 factor authentication.

That would be idiotic.^W^W^W^WI have some magic beans for you! Simply send any message to this email address: ihavewaytoomuchmoney@wesolvethat.com

Re:Seems like.....

[bananaquackmoo]

Don't listen to them. It is quite possible.

Re:Seems like.....

[Zamphatta]

And it's another reason to temporarily lock out an account from logging in, if there's too many wrong guesses at the password in a very short period of time. There might be a Wordpress plug-in for something like that, but I don't think it's in Wordpress's core, and it really should be in the core of any web system. It adds tons of security all by itself.

Re:Seems like.....

[x_t0ken_407]

And it's another reason to temporarily lock out an account from logging in, if there's too many wrong guesses at the password in a very short period of time. There might be a Wordpress plug-in for something like that, but I don't think it's in Wordpress's core, and it really should be in the core of any web system. It adds tons of security all by itself.

There are indeed plugins that do this. In fact, I was alerted to a few of my sites being bruteforced from a plugin that does just that. What really helps though, is having a .htpasswd enabled on the wp-admin directory -- I use a plugin for that as well ("AskApache Password Protect"), though admittedly it's not hard at all to implement without the plugin.

Re:Seems like.....

[Algae_94]

It can be done, of course, but it's not an easily configurable option in the web interface.

Re:Seems like.....

[locater16]

Passphrase? Cracking it is called a dictionary attack, it's what almost every password cracking attempt uses anyway. It's just a list of words run against the password, and can be rather easy to crack. SAFE passwords are long enough series of random letters numbers and symbols, something an attempt would have to brute force character by character and thus wouldn't have much of a chance of getting. $57*ghU^61@nm is a far safer password that "Correct Horse Staple Battery" which would easily be crackable in a reasonable timeframe. Unfortunately $57*ghU^61@nm is friggen hard to remember. Maybe it's time to find convenient and cheap biometric scanners.

Re:Seems like.....

[smittyoneeach]

Yes, you can specify a subdirectory at install-time.

Re:Seems like.....

[rtb61]

Dictionary attack fails due to time constraints as the complexity is just as great for completely mixed characters as for a pass phrase as you must guess all the words simultaneously rather than solve one word at a time. Pass phrase is quite simply the best realistic solution as it provides plenty of characters while being easy to remember and from the outside it is still unknown whether you are using any other characters in the pass word hence they still must be checked and PS spaces are never used is pass phrases why bother.

Re:Seems like.....

Anyone one can suggest me best plugin for wp security? My site affected itstarz

Re:Seems like.....

[radio4fan]

Good advice.

But really, there just shouldn't be a default username: you should have to enter your own. This has been standard practice for decades.

Though I have to concede it works pretty well, WP is truly awful: a tiny bit object-oriented here, a bit finite state machine there; no coherent design at all.

It's kind-of the PHP of PHP software: Crufty, inelegant, painful to develop with, yet also ubiquitous and loved by clients, who ask for it by name.

WordPress needs a 100% rewrite by someone who has read a book or two on programming.

Re:Seems like.....

[Spiridios]

Passphrase? Cracking it is called a dictionary attack, it's what almost every password cracking attempt uses anyway. It's just a list of words run against the password, and can be rather easy to crack. SAFE passwords are long enough series of random letters numbers and symbols, something an attempt would have to brute force character by character and thus wouldn't have much of a chance of getting. $57*ghU^61@nm is a far safer password that "Correct Horse Staple Battery" which would easily be crackable in a reasonable timeframe. Unfortunately $57*ghU^61@nm is friggen hard to remember. Maybe it's time to find convenient and cheap biometric scanners.

I think you misunderstand. A brute-force attack on a password is "just" a dictionary attack using letters and symbols as your dictionary instead of English words. There's realistically 26 lower case letters, 26 upper case letters, 10 digits, around 32 symbols, and space (just looking at my keyboard), giving us a set of about 95 to compose our passwords from. According to Oxford Dictionaries there's around 171,476 words in current usage. Even if you constrain to what the average person knows, you've got anywhere from 12,000 to 60,000 words depending on who you trust for those kinds of statistics. Want to include your below average person? If XKCD is to be judged, you can still communicate somewhat by limiting yourself to the 1000 most used words. That ignores capitalization variations, so it assumes the attacker knows you only capitalize the first word of the sentence (or whatever your personal rule is). That actually puts a six word passphrase using a vocabulary of 1000 words as harder to brute force than an eight character password.

Passphrases of equivalent length are easier to remember because we're trained to think in sentences, not letters. You can also use visualization techniques, as XKCD suggests, because we associate images with many words, not so much with letters. The biggest problem with passphrases are sites that put an upper limit on passwords, so we're forced to come up with pass phrases that operate as mnemonics for passwords, but then that limits our pool of characters in our password (unless you know a word that begins with the letter %).

Re:Seems like.....

[thoughtlover]

You should not use plugins to regulate login attempts, at this time. Check the post, below and link to his blog with the reasons why. http://it.slashdot.org/comments.pl?sid=3643255&cid=43436363

I'd also recommend that people reset their Secret Keys to resalt users' cookies. https://codex.wordpress.org/Editing_wp-config.php#Security_Keys

Re:Seems like.....

[betterprimate]

This. 100x this. It's the easiest way to block a brute force attack.

Re:Seems like.....

[hacker]

Which of course, you should never do, since .htaccess will grind the performance of your site directly into the ground. It also means that anyone with access to the filessytem (such as an already-hacked WP instance) can revert your changes.

http://httpd.apache.org/docs/2.2/en/howto/htaccess.html#when

Re:Seems like.....

[Jason+Levine]

Apocalypse Meow: http://wordpress.org/extend/plugins/Apocalypse-Meow

It will not only lock users out if they fail to log in a certain number of times (defined by you but default is 5), but it can remove the meta data that tells people which version of Wordpress you're running (nothing like saying "Hey, hackers, attack me in this manner"), can rename the "admin" account easily, prevent direct PHP script execution of plugins (which might break some plugins so use with caution) and even keeps a log of failed login attempts. I've had it running for a few months on a couple of my sites and noted over 7,000 login attempts. I noted a few of the worst offenders (one tried 135 times in about 2 months' time) and IP banned them. (NOTE: This isn't a function of Apocalypse Meow. I simply ran a mySQL query on the database table it uses for its log and then added entries to the site's CPanel to ban the IP addresses.) Definitely recommend this plugin for any WordPress users.

really?

[bmimatt]

I see automated attacks on wordpress sites in the logs all the time.  Same with phpmyadmin and other popular FOSS software.  What else is new?

Re:really?

What's new is the gigantic scale of it, nothing more. It appears to be one humongous distributed brute-force attack with the power to quite easily take down a server. This is not your average Wordpress brute-force attack.

Re:really?

What is new is that these attempts are coming from so many IP's simultaneously that it's crashing servers.

Re:really?

[n3tm0nk]

I am wondering if this attack is masking some other activity.

Re:really?

Finally another educated admin out there. Working for one of the top 5 web hosts in the company I saw atleast 10-20 compromised sites a day. All of which were WordPress, Joomla, Drupal and all of the other FOSS apps that mom and pops try to run without knowing how.

CVE reports almost 150 active exploits for wordpress.

http://www.cvedetails.com/vulnerability-list/vendor_id-2337/product_id-4096/

This happens way to frequently for this to be considered actual news.

Re:really?

How in the word is accessing a web admin panel going to bring down a server? Please explain that one to me.

I sir, am declaring shenanigans on your claim!

Re:really?

When you have 11,000 IP's hitting the same wp-login.php at once, It's not your normal every day BS. I also work for a major web host. This is the most intense webapp brute force I've seen in 3-4 years. They're not trying to exploit any CVE's, just log in with 'admin' and common passwords.

Re:really?

I've seen upwards of 10,000 IP's hitting the same wp-login at once. Thats how.

Re:really?

No, he is saying that the amount of bots involved is more than enough to (if they decide) DDoS a server.

limit login attempts

[interkin3tic]

advising all our clients who use WordPress to install an additional plugin 'Limit Login Attempts' that will help to prevent brute force attacks

Not being familiar with wordpress, I'll ask why isn't that on by default?

Re:limit login attempts

[preaction]

Because it increases the number of support requests dramatically.

Re:limit login attempts

The plugin is 3rd party and not a part of WordPress itself.

Re:limit login attempts

[sabt-pestnu]

>>advising all our clients who use WordPress to install an additional plugin 'Limit Login Attempts' that will help to prevent brute force attacks

> Not being familiar with wordpress, I'll ask why isn't that on by default?

What could be a simpler way to deny an administrator access to his own account than by a "limit login attempts" that limits attempts on a per-account basis (vs a per-IP address basis)?

And if the attack is "one attempt per site per zombie", limiting on a per-IP basis has no teeth.

<ignorant_speculation>Of course, if you have created an admin account that's not NAMED admin, you won't be locked out. And if you change the account named "admin" to having lower privileges, even better.</ignorant_speculation>

Re:limit login attempts

[interkin3tic]

Same basic question: why not?

Re:limit login attempts

Same basic answer: Because it increases the number of support requests dramatically.

Re:limit login attempts

<ignorant_speculation>Of course, if you have created an admin account that's not NAMED admin, you won't be locked out. And if you change the account named "admin" to having lower privileges, even better.</ignorant_speculation>

Yeah that /is/ pretty ignorant

Re:limit login attempts

And support is expensive, whether you consider money or time.

Re:limit login attempts

This will not help in this case - the number of IPs used for the attack is far too large, and the attackers have taken to only sending one login attempt per IP.

htaccess checking to make sure the HTTP_REFERER is your website does work just fine, though.

Re:limit login attempts

[Stalks]

It would be written in PHP, so trivial to add an exception to your IP.

Re:limit login attempts

[jkflying]

Apparently there are over 90,000 IPs involved in the attacks, so they can effectively test a 90,000 password dictionary before you even see the same IP twice.

Re:limit login attempts

[betterprimate]

It can easily be an arbitrary number under 50 and it would still prevent a brute force attack.

Re:GOD FORBID...

Yes, god forbid.

Nobody gives a shit about your crappy blog, but they will give a shit about your crappy forms that allow massive amounts of spam to be sent out.

Though admittedly, you usually don't need to brute force your way in for that.

Little do they know...

[dragon-file]

that the administrative account uses 'administrator' not 'admin'. They'll be attempting that brute force for quite a while.

Re:Little do they know...

[Quirkz]

That's why I changed mine from username 'admin' with a blank password to password 'admin' with a blank username. They'll never guess that one!

Re:Little do they know...

[dragon-file]

faceplam

Re:Little do they know...

i am unable to get access to my site Software Zone but my all data still here

Re:Little do they know...

[Pauldow]

I use eight asterisks as my password. That way I can see it when I type it in.

Re:GOD FORBID...

Or even better to get a foot in the door via your crappy blog and then go to work on the hosting company's server.

Re:That's why remote admin/root shouldn't be allow

[Quirkz]

The no remote admin access makes sense for a computer login, but for a web-based app like WordPress often run on a remote hosting account there's no such thing as "local" access. Or I suppose there is, but most users don't have access to the host server and wouldn't know how to use it even if they did.

Re:That's why remote admin/root shouldn't be allow

[KPU]

Great! Now all I have to do is compromise your user account, add some aliases to your .bashrc, and I get promoted to root.

Identifying compromised installs?

I've been seeing these for the past few days across a wide variety of customer servers, sometimes with enough traffic to push the box into swap death. All I've found online are people warning if it and how to defend against it, but has anyone done any forensics on a compromised install? If so, can you share what to look for?

ISP Black/white Lists?

If I'm an internet service provider and I have a client who is sending request after request, at an inhumane rate, do I then have the right to put their service on hold for the sake of the guy at the other end of the line?

I'm looking for where the ISPs stand in these situations.

Re:ISP Black/white Lists?

[Krojack]

Why would an ISP such as Comcrap want to block the account of a paying client? Most don't care about massive HTTP request.

Re:ISP Black/white Lists?

If I'm an internet service provider and I have a client who is sending request after request, at an inhumane rate,

HI! WELCOME TO THE INTERNET!
Everyone is sending request after request at inhuman rates. That's kinda how this thing works. Thanks for suggesting we kill the internet for doing what it does.

Fail2ban ForTheWin

Better yet, fail2ban...

Re:Fail2ban ForTheWin

You don't understand this "distributed" thing, do you? f2b does absolutely nothing when there's 90k hosts prodding your machine. The same ip won't try more than once.

Re:Fail2ban ForTheWin

[Algae_94]

In that case, what's there to worry about? 90,000 guesses (1 per ip) is nowhere near enough to brute force a halfway decent password.

In order to brute force a password, you would need to hit the site multiple times from each ip. Every ipv4 address in existance (count ips that are not valid like 127.0.0.0) with one guess a piece gives 2^32 guesses. a 6 character alphanumeric password has over 13 times as many possibilities.

Re:Fail2ban ForTheWin

Meh, this isn't even a real brute force attack. This is a dictionary attack, limited to just thousands of common passwords. They don't care about breaking in, they're looking for the key under the doormat. 90,000 attempt per day is plenty for that.

Re:That's why remote admin/root shouldn't be allow

> but for a web-based app like WordPress often run on a remote hosting account there's no such thing as "local" access

SSH tunnels.

Re:That's why remote admin/root shouldn't be allow

And how will you do that if you don't know my regular username or password? All you've done is turn an easy problem (brute force guess the password for the known account "root"), into a harder problem (guessing both my username and password, and then guessing the root one or sneaking something into an alias and hoping I invoke it during an "su" or "sudo"). If you're talking about some other way to compromise the system, then the account name/pass is irrelevant.

All I'm saying is, these guys are apparently knocking on the "remote root login" door, hoping for an easy win that way. I don't understand why anyone's machine would be set up to allow such an easy way in. Don't have a "root", "admin", or "administrator" account with remote login enabled. Taking the guesswork out of the account name defeats half the value of having a username/pass pair, so don't make it so easy (there are of course other ways to authenticate, but assuming that's the method you're using -- do it right).

Someone else mentioned that for something like WordPress, you have to have remote login for administrators. Yes, but I don't see why the account *name* has to be "admin". Sure, it's easy to remember, but why couldn't it be something random like "SuperLuser782", which would be unlikely for a bot to try out in the first hundred common guesses for an administrator account.

Admin wasn't just the default password

[quixote9]

I've used Wordpress since forever (2006?), and I seem to remember that at least back in the bad old days the admin username had to be "admin." Nothing else. There are probably millions of people who set their blogs up back then and haven't looked at that setting since.

I wonder what they're doing this for? What does blowing up a planet's worth of little blogs get anyone? Does anyone know what this thing actually does?

Re:Admin wasn't just the default password

[jakimfett]

I saw this same question asked further up the comment line, and I think it's the key. They aren't targeting wordpress blogs. The attacks have to be a smoke screen for *something else*, whatever that something else is. Maybe this is yet another Chinese attack. Maybe it's anonymous (I'll wait while you finish laughing...and yeah, it's not anonymous, they couldn't pull off anything close to this order of magnitude and coordination level), or maybe it's th3j35t3r's evil twin. But it'll be something nasty if/when it ever comes to light.

Re:Admin wasn't just the default password

It's Kim's little joke on all the bloggers making fun of him. :)

Re:Admin wasn't just the default password

[thegarbz]

A cleaner internet?

Re:Admin wasn't just the default password

They do it for great justice! :D

A bit more seriously:
1. Create data-mining caching anti-DDOS company.
2. DDOS away!
3. Provide temporary free services publicly
4. End attacks.
5. End temporary free service.
6. Gain new customers
7. Profit!

Re:Admin wasn't just the default password

[josh.hackney13]

They're doing it because webservers come with a 15K SAS drive and a 10Gbit ethernet port to send spam out of and launch more attacks. would you rather have some dudes home computer or a web server in a state of the art datacenter? Point being, setting your logins to comon settings has always been a horrible idea just the same way you wouldn't want the lock to your house to open with a key you can buy from homedepot (read, admin//password as your login)

Re:Admin wasn't just the default password

[CallADeveloper]

They are building a botnet of powerful webservers. We are already seeing them move on from Wordpress blogs, the attacks are not over. The current payloads are primarily spam and attacking other sites (using PHP and Perl scripts injected or uploaded to Wordpress sites), but the main point is to infect as many computers and servers as possible to gain more computing power. Now is a good time to secure your Joomla, Drupla, ZenCart, X-Cart, and even HTML (!) sites. It appears the attackers are now experimenting with various SSL attacks, pulling various configuration files, and trying to get into databases, primarily on shopping carts. This may just be another distration though, which is a common tactic in the world of hackers. If the distraction is big enough it will always draw attention away from what you are really doing...

Re:Admin wasn't just the default password

[betterprimate]

I saw this same question asked further up the comment line, and I think it's the key. They aren't targeting wordpress blogs.

What I think you are referring to is the unique authentication keys and salts. I have had to (reluctantly) fix a client's hacked site because they had set it up without them.

If there's any newbies here, make sure you replace (WP provides a random generator) the definitions below in wp-config.php:

/**#@+ * Authentication Unique Keys and Salts.
*
* Change these to different unique phrases!
* You can generate these using the {@link https://api.wordpress.org/secret-key/1.1/salt/ WordPress.org secret-key service}
* You can change these at any point in time to invalidate all existing cookies. This will force all users to have to log in again.
*
* @since 2.6.0
*/
define('AUTH_KEY', 'put your unique phrase here');
define('SECURE_AUTH_KEY', 'put your unique phrase here');
define('LOGGED_IN_KEY', 'put your unique phrase here');
define('NONCE_KEY', 'put your unique phrase here');
define('AUTH_SALT', 'put your unique phrase here');
define('SECURE_AUTH_SALT', 'put your unique phrase here');
define('LOGGED_IN_SALT', 'put your unique phrase here');
define('NONCE_SALT', 'put your unique phrase here');

Re:Admin wasn't just the default password

[jakimfett]

Not exactly what I was meaning...but definitely important.

What I was actually meaning was that the important thing to take out of this is that the wordpress attacks are a smoke screen, a stepping stone, one gear in a machine rolling towards some unknown destination. Whoever is behind this has a plan beyond hacking blogs. The power available to them with this number of compromised machines is vast. Whatever their target is, it's going to get hit really hard.

I'd be interested in seeing someone do a code analysis on this. The actual software that is loaded into a compromised machine, what is it capable of? Can it update itself? Is it static, with only certain functionality built in? Is there a command and control server? Can it be counter-hacked to reveal the attacker? what is the architecture of the compromised machines interactions with eachother?

Re:Admin wasn't just the default username

[quixote9]

Gaaa. That subject line should read "username," not password.

Tarpit

There's a plugin I use on my sites that utilized the tarpit concept. The more attempts that are made to brute force an id from a given IP, the slower the response time becomes. It's called Login Security Solution.

How to Respond to the Global Wordpress Attacks

[CallADeveloper]

I have written a rather detailed article on next steps for anyone affected - which is just about anyone with a Wordpress site. Unfortunately at least 10% of accounts hit have been successfully compromised, and many are being used to send spam or attack other sites. The Global Wordpress Brute Force Attacks of 2013 - http://calladeveloper.blogspot.com/2013/04/global-wordpress-brute-force-attacks.html This includes the method to htaccess block direct automated requests for wp-login.php as well. The attackers have gotten around some fairly advanced countermeasures including mod_security rules so all Wordpress site owners should be following these steps.

Re:How to Respond to the Global Wordpress Attacks

[rduke15]

The useful part of that blog post seems to be:

RewriteEngine on
RewriteCond %{REQUEST_METHOD} =POST
RewriteCond %{HTTP_REFERER} !^http://(.*)?.example.com [NC]
RewriteCond %{REQUEST_URI} ^/wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^/wp-admin$
RewriteRule ^(.*)$ - [R=403,L]

(The logic makes sense. I haven't tested the syntax yet)

It also suggests an insane 30-character password abomination:

for example the relatively strong password: th1$l1ttl3p1ggy$3cur3dth31rW0rdpr3$$$1t3 is simply "thislittlepiggysecuredtheirWordpresssite" with i->1, s->$, e=3, and o->0 (zero)

I prefer "wrong chicken battery staple", which is probably not in attacker's dictionnary.

Re:How to Respond to the Global Wordpress Attacks

[CallADeveloper]

You mean "correct horse battery staple" and unfortunately that is terrible advice - any password under 50 characters made of only lowercase letters will be broken by the most basic brute force. And their dictionary is impressive, we've been pulling the POSTDATA and checking what they are doing. The rotation of usernames in itself is scary - even non "admin" users are not protected. This is why I suggest a 30 character password and in fact you should be using a similar method to generate your admin username. Even that can be cracked with a botnet of sufficient size, which is exactly what they are trying to build. They have a LOT of CPU power at their disposal between the infected PCs and the infected servers (which often have 32+ cores and 100GB+ of memory to play with).

Re:How to Respond to the Global Wordpress Attacks

26^50 / 2 = 2.8e+70. At 1000 attempts per second, it would take an average of 9x10^59 YEARS to brute force a 50 character string of lowercase letters. Something's off in your alarmist argument, and it's possibly your definition of either "most basic", "brute force", or "50". You do this is web-based, right?

Re:How to Respond to the Global Wordpress Attacks

[Algae_94]

any password under 50 characters made of only lowercase letters will be broken by the most basic brute force.

The fact that the password is only lowercase letters is immaterial for a brute force attack. Unless the attacker already knows that the password is only lowercase letters, they will try guesses with numerals and symbols. It is very hard to imagine a brute force attack that would try every combination of lowercase letters up to 50 characters without trying anything with uppercase, numerals, or symbols, but even if they do it isn't a reason to worry.

If they did try to brute force just lowercase, there are 5.6e70 combinations of EXACTLY 50 lowercase letters (this is not counting shorter passwords which adds to the total).Even if the botnet could send a trillion guesses per second, It would take over 1.7e51 years to exhaustively search the space of 50 character lowercase passwords. If they can send a trillion trillion guesses per second, it would still take 1.7e40 YEARS to exhaustively search. This is all assuming they are trying only lowercase letters to start

I find it hard to believe they have a botnet capable of a trillion trillion guesses per second, and even harder to believe that the average WordPress site could handle that many requests without cratering or causing the hosting company to shut it down.

They may get some sites with very weak admin passwords (think 'password' and '123456'), but you are spreading FUD about how vulnerable long passwords are.

Re:How to Respond to the Global Wordpress Attacks

[jkflying]

The thing is, they won't be using a pure brute force but rather a 'directed' brute force through some sort of markov-chain implementation. So if you use standard English words and grammar the number of bits of random data in your password is dramatically reduced.

Re:How to Respond to the Global Wordpress Attacks

Telling people to use their own domain to restrict access seems like bad advice. How many wordpress users have their own domain attached to their home.

Same withe the advice to use a single ip address.Wordpress users will find themselves locked out when their isp rotates their address.

Re:How to Respond to the Global Wordpress Attacks

[rduke15]

You mean "correct horse battery staple"

.

No, I meant another animal, just in case the person who did the dictionary is an xkcd fan, and put that in for fun.

But for the number of characters, I think you may have to revisit your math, as other have already pointed out. And this is an online attack, which severely limits the speed anyway (not the speed of trying, but the speed of getting a reply from the server).

Re:Oh no!

Quite true. In fact I think I'll just switch off my pager this weekend, after all I can only worry about one thing at a time, so I may as well worry about one I can do nothing about.

A space in the username

[uberbrainchild]

Wordpress allowa for a space in the username which is nice and seems more unlikely to be guessed :)

Themes, plugins and .htacess...

[t4ng*]

I've found the "Better WP Security" plugin to be pretty good at stopping all of this. You can set login limits, 404 limits, etc., and have it automatically deny offenders IP addresses from accessing your site by modifying the site's root .htaccess file.  But even it doesn't cover everything.

Many WP attackers probe for themes and plugins with known weaknesses, or exploit the upload system to upload executables.  But what most people don't know (including most WP developers I've worked with) is that there is no reason for PHP files to be directly accessible anywhere in the /wp-content/ directory (which includes uploads, themes, and plugins).  Simply adding a .htaccess file to the /wp-content directory with something like the following in it will protect against poorly written themes, plug-ins, and most not-yet-known exploits of WordPress.

# Add allowable extensions as needed
Order Deny,Allow
Deny from all
<FilesMatch "\.(jpe?g|gif|png|mp3|mpe?g|flv|swf|js|css|pdf|xml|html|gz)$">
    Allow from all
</FilesMatch>

If that breaks a plugin or theme you use, then it's not written very well and you shouldn't risk using it.  Contact the developer and tell them they should not need direct access to executables in /wp-content

Re:Oh no!

[uberbrainchild]

It's not just bloggers, a lot of businesses use wordpress. If i remember correctly, spotify's website is wordpress based

Captcha's

[wanfuse123]

There is several captcha plugins available, wont help with the DDOS but will help with machines trying to guess passwords. http://rawcell.com

Lack of security in Wordpress

[edxwelch]

The root cause of this attack is that Wordpress allows unlimited login attempts for the admin account. I know there is some plugin that can fix it, but it should be built into the core.

Re:Lack of security in Wordpress

[jest3r]

Agreed!

MY ISP got hacked...

[PoconoPCDoctor]

And the blog I run is for my church. He said he did not know how this happened. Someone hacked a blog running an unpatched Drupal blog. This is what he said, anyway. Then used that breach to hack everything else. Since I could not determine what had been hacked/changed on the church blog, (user accounts wee created that I did not create!) I wiped it, deleted all the databases and started from scratch. So it isn't just crappy blogs - although if you happen to be a godless nerd you may think my church blog is crappy anyway.... B-) I support your right to be a godless nerd.

Re:MY ISP got hacked...

[betterprimate]

Then used that breach to hack everything else. Since I could not determine what had been hacked/changed on the church blog, (user accounts wee created that I did not create!) I wiped it, deleted all the databases and started from scratch. So it isn't just crappy blogs - although if you happen to be a godless nerd you may think my church blog is crappy anyway....

Exactly. Sounds like a 14-year-old on a power trip. No worries, there will be a few companies that may hire him as a white hat. That is, if he's smart enough to evade the law long enough.

Re: MY ISP got hacked...

[PoconoPCDoctor]

The part that bothered me was the hosting provider admitting that he thought this could not be done. To his credit, he seems to have updated everything and there have been no issues since. I think this was his wake up call, that could not assume that a Linux based server is invincible. Every time a patch is rolled out, unless servers are updated, the kiddie scripters load up and see who they can hack and wack.

Who benefits the most

If I wanted to be a leet haxor...
If I was in it for the lulz...
If I had a grudge...
If I owned a major news portal...
If I had facebook stock...

Hard to say. This seems high on the bumble-o-meter, like someone didn't care or didn't think it would get noticed.

Disable the usual admin interface

[trawg]

I ended up making some tiny changes to my WP install that basically causes requests to /wp-admin to die immediately, unless you're accessing it via a specific HTTP port that I've opened in Apache specifically for this purpose.

I've got disk permissions set up so that the regular Apache user cannot write at all to the disk - a common source of WP problems seems to be exploits writing new files to disk, so stopping that seemed like a good idea. Unfortunately it also bones a lot of WP functionality like being able to automatically install skins/plugins.

Using some Apache module (can't remember which one) I've set it up so that requests made to /wp-admin under the correct Apache port operate under a different user - one that /does/ have write access to the disk. So it means I can do any administrative stuff and take advantage of the full WP functionality without having to leave write access in there for normal use.

Conceptually this seems like a much more default setup for WP - certainly I haven't had any security problems. As a side benefit it means I don't need to worry about random attacks like this.

There's a few minor problems I haven't resolved (most notably when adding new posts, the URL it stores for them includes the administrative port in them and publicly displays them in things like the RSS feed :) but I'm hoping to find time one day to resolve those.

using the username "admin"

duh....

NEVER EVER use the default administrator login name for a public-facing site management interface.

and if you can, at least lock down the admin interface login URL with an extra layer, even basic http auth or some htaccess deny/allow rules will help immensely.

Re:using the username "admin"

[betterprimate]

Someone more informed can correct me, but that to me sounds like you having said to never use root. To not use admin as a general rule sounds like cutting off the nose to spite the face. Not to mention that it's impractical.

If you have to come to the decision in excluding admin, then you probably have more issues and security policies that you need to focus on.

Re:GOD FORBID...

[Algae_94]

God forbid someone gets access to a hosting company that is so bad a clients blog can gain access to their server.

Problem solved....

I just enabled conn limit on the (CSF) firewall on the web server then limit port 80 to 30 connections per IP.. any more than 30 connections from an IP and it gets temp ban for an hour. Since they are hitting the server with so many connections its a instant ban for the abusers. Solved the whole problem for me..

404 errors

[tibbar]

change the wp-login.php name to wp-ThwartSupidScriptBotts-login.php or whatever variant you like
(and one other place in the code, if i remember correctly)
I'm getting 3000+ 404 errors a month from seemingly random IP

scripts cant deal with various names (though you may want to remember what the log in is )

Off topic

[Gazzonyx]

Your user name... you don't happen to live in the Mount Pocono area, do you?

Re: Off topic

[PoconoPCDoctor]

Nope. East Stroudsburg. Used to fix PC's on the side a while back. Hence the name.

Re: Off topic

[Gazzonyx]

Huh, small world. I grew up on the Stroudsburg/Bartonsville line and went to Pocono Mountain. But I left there in 2004. There used to be a couple of computer shops in the area, but I think they're mostly gone now.

missing info

[Zurd3]

all articles either are not saying what is the purpose or just talking about creating a zombienet for future use, but one wordpress I know of got hacked just 2 weeks ago by brute-forcing his way in, then someone was able to install a plugin call "boss" which was the r57shell and with this script, was able to put new files in the blog which was serving 7727 websites with a virus when someone visited their site and didn't had flash. The virus in question was the trojan Meredrop, so the wordpress got hacked and was already being used for spreading a trojan. It's high time that WordPress install by default Login Lockdown or Limit Login or some plugins like that, can't believe they don't put it by default.

Re:missing info

No plugin will help, I'm sorry. It's just too large of an attack - one IP, one login attempt.

Follow this guide:

http://calladeveloper.blogspot.com/2013/04/global-wordpress-brute-force-attacks.html

It's not just trojans, a variety of very advanced malware is being distributed, including TDL3 or TDSS. If your blog was infected, you need a security professional to look for rootkits on your computer. Some of the hacked blogs do nothing, some send spam, some attack other sites, and some distribute malware, or any combination of these tasks and several others.

Follow the guide above and get your computers cleaned. Also keep sharing the guide so people know the correct way to respond. There is far too much bad advice being passed around right now about this attack and what people affected should be doing. Educating users should be the first priority if we want to get past this.

Spam disguised as a Slashdot Article...

[critter42b]

" CloudFlare has announced that they're giving all users (free and paid) protection from said attacks with their services." - and there's the meat of this whole post. Like the "Unprecedented DNS attacks" from a couple of weeks ago, if you follow the trail of this article it is nothing but a press release from CloudFlare designed to whip everyone into a frenzy and buy their product to protect them. - 90,000 hosts? Haven't we seen attacks with half a million or more hosts?