Slashdot Mirror

← Back to Stories (view on slashdot.org)

Wordpress Sites Under Wide-Scale Brute Force Attack

Posted by Soulskill on from the pressing-all-the-words dept.

New submitter NitzJaaron writes "Some of us have been experiencing attacks on Wordpress sites for the last few days, but it's now beginning to be widely reported that there's a fairly large brute force attack happening on Wordpress users on multiple hosts, including HostGator and LiquidWeb. 'This attack is well organized and again very, very distributed; we have seen over 90,000 IP addresses involved in this attack.' CloudFlare has announced that they're giving all users (free and paid) protection from said attacks with their services. 'The attacker is brute force attacking the WordPress administrative portals, using the username "admin" and trying thousands of passwords.'" Further reports available from Immotion hosting and Melbourne server hosting.

2 of 110 comments (clear)

  1. How to Respond to the Global Wordpress Attacks by CallADeveloper · · Score: 3, Interesting

    I have written a rather detailed article on next steps for anyone affected - which is just about anyone with a Wordpress site. Unfortunately at least 10% of accounts hit have been successfully compromised, and many are being used to send spam or attack other sites. The Global Wordpress Brute Force Attacks of 2013 - http://calladeveloper.blogspot.com/2013/04/global-wordpress-brute-force-attacks.html This includes the method to htaccess block direct automated requests for wp-login.php as well. The attackers have gotten around some fairly advanced countermeasures including mod_security rules so all Wordpress site owners should be following these steps.

    1. Re:How to Respond to the Global Wordpress Attacks by CallADeveloper · · Score: 1, Interesting

      You mean "correct horse battery staple" and unfortunately that is terrible advice - any password under 50 characters made of only lowercase letters will be broken by the most basic brute force. And their dictionary is impressive, we've been pulling the POSTDATA and checking what they are doing. The rotation of usernames in itself is scary - even non "admin" users are not protected. This is why I suggest a 30 character password and in fact you should be using a similar method to generate your admin username. Even that can be cracked with a botnet of sufficient size, which is exactly what they are trying to build. They have a LOT of CPU power at their disposal between the infected PCs and the infected servers (which often have 32+ cores and 100GB+ of memory to play with).