Slashdot Mirror

← Back to Stories (view on slashdot.org)

Wordpress Sites Under Wide-Scale Brute Force Attack

Posted by Soulskill on from the pressing-all-the-words dept.

New submitter NitzJaaron writes "Some of us have been experiencing attacks on Wordpress sites for the last few days, but it's now beginning to be widely reported that there's a fairly large brute force attack happening on Wordpress users on multiple hosts, including HostGator and LiquidWeb. 'This attack is well organized and again very, very distributed; we have seen over 90,000 IP addresses involved in this attack.' CloudFlare has announced that they're giving all users (free and paid) protection from said attacks with their services. 'The attacker is brute force attacking the WordPress administrative portals, using the username "admin" and trying thousands of passwords.'" Further reports available from Immotion hosting and Melbourne server hosting.

4 of 110 comments (clear)

  1. Re:Seems like..... by jakimfett · · Score: 5, Informative

    Yet another reason to specify a non-default administrator username in the original install. And to use passphrases instead of passwords. Easier to remember, and there's almost no way to brute force a thirty character password.

    --
    Bits of code, random ramblings: jakimfett.com
  2. Re:Seems like..... by Electrawn · · Score: 4, Informative

    No, the wp-admin folder is rather hard coded.

  3. Re:How to Respond to the Global Wordpress Attacks by rduke15 · · Score: 2, Informative

    The useful part of that blog post seems to be:

    RewriteEngine on
    RewriteCond %{REQUEST_METHOD} =POST
    RewriteCond %{HTTP_REFERER} !^http://(.*)?.example.com [NC]
    RewriteCond %{REQUEST_URI} ^/wp-login\.php(.*)$ [OR]
    RewriteCond %{REQUEST_URI} ^/wp-admin$
    RewriteRule ^(.*)$ - [R=403,L]

    (The logic makes sense. I haven't tested the syntax yet)

    It also suggests an insane 30-character password abomination:

    for example the relatively strong password: th1$l1ttl3p1ggy$3cur3dth31rW0rdpr3$$$1t3 is simply "thislittlepiggysecuredtheirWordpresssite" with i->1, s->$, e=3, and o->0 (zero)

    I prefer "wrong chicken battery staple", which is probably not in attacker's dictionnary.

  4. Re:Seems like..... by Zamphatta · · Score: 3, Informative

    And it's another reason to temporarily lock out an account from logging in, if there's too many wrong guesses at the password in a very short period of time. There might be a Wordpress plug-in for something like that, but I don't think it's in Wordpress's core, and it really should be in the core of any web system. It adds tons of security all by itself.