Wordpress Sites Under Wide-Scale Brute Force Attack

New submitter NitzJaaron writes "Some of us have been experiencing attacks on Wordpress sites for the last few days, but it's now beginning to be widely reported that there's a fairly large brute force attack happening on Wordpress users on multiple hosts, including HostGator and LiquidWeb. 'This attack is well organized and again very, very distributed; we have seen over 90,000 IP addresses involved in this attack.' CloudFlare has announced that they're giving all users (free and paid) protection from said attacks with their services. 'The attacker is brute force attacking the WordPress administrative portals, using the username "admin" and trying thousands of passwords.'" Further reports available from Immotion hosting and Melbourne server hosting.

Seems like.....

[n3tm0nk]

something they should have been prepared for in the first place......

Re:Seems like.....

[jakimfett]

Yet another reason to specify a non-default administrator username in the original install. And to use passphrases instead of passwords. Easier to remember, and there's almost no way to brute force a thirty character password.

Re:Seems like.....

[DougOtto]

This.

Based on the dictionary they're using for this attack, all that's required to thwart it is a capital letter.

Re:Seems like.....

[DougOtto]

Unfortunately, no. It is, however, easy enough to protect with .htaccess

Re:Seems like.....

[Electrawn]

No, the wp-admin folder is rather hard coded.

Re:Seems like.....

[Zamphatta]

And it's another reason to temporarily lock out an account from logging in, if there's too many wrong guesses at the password in a very short period of time. There might be a Wordpress plug-in for something like that, but I don't think it's in Wordpress's core, and it really should be in the core of any web system. It adds tons of security all by itself.

really?

[bmimatt]

I see automated attacks on wordpress sites in the logs all the time.  Same with phpmyadmin and other popular FOSS software.  What else is new?

limit login attempts

[interkin3tic]

advising all our clients who use WordPress to install an additional plugin 'Limit Login Attempts' that will help to prevent brute force attacks

Not being familiar with wordpress, I'll ask why isn't that on by default?

Re:limit login attempts

[preaction]

Because it increases the number of support requests dramatically.

Re:limit login attempts

[sabt-pestnu]

>>advising all our clients who use WordPress to install an additional plugin 'Limit Login Attempts' that will help to prevent brute force attacks

> Not being familiar with wordpress, I'll ask why isn't that on by default?

What could be a simpler way to deny an administrator access to his own account than by a "limit login attempts" that limits attempts on a per-account basis (vs a per-IP address basis)?

And if the attack is "one attempt per site per zombie", limiting on a per-IP basis has no teeth.

<ignorant_speculation>Of course, if you have created an admin account that's not NAMED admin, you won't be locked out. And if you change the account named "admin" to having lower privileges, even better.</ignorant_speculation>

Re:Little do they know...

[Quirkz]

That's why I changed mine from username 'admin' with a blank password to password 'admin' with a blank username. They'll never guess that one!

Re:That's why remote admin/root shouldn't be allow

[Quirkz]

The no remote admin access makes sense for a computer login, but for a web-based app like WordPress often run on a remote hosting account there's no such thing as "local" access. Or I suppose there is, but most users don't have access to the host server and wouldn't know how to use it even if they did.

Admin wasn't just the default password

[quixote9]

I've used Wordpress since forever (2006?), and I seem to remember that at least back in the bad old days the admin username had to be "admin." Nothing else. There are probably millions of people who set their blogs up back then and haven't looked at that setting since.

I wonder what they're doing this for? What does blowing up a planet's worth of little blogs get anyone? Does anyone know what this thing actually does?

Re:Admin wasn't just the default password

[jakimfett]

I saw this same question asked further up the comment line, and I think it's the key. They aren't targeting wordpress blogs. The attacks have to be a smoke screen for *something else*, whatever that something else is. Maybe this is yet another Chinese attack. Maybe it's anonymous (I'll wait while you finish laughing...and yeah, it's not anonymous, they couldn't pull off anything close to this order of magnitude and coordination level), or maybe it's th3j35t3r's evil twin. But it'll be something nasty if/when it ever comes to light.

Re:Admin wasn't just the default password

[CallADeveloper]

They are building a botnet of powerful webservers. We are already seeing them move on from Wordpress blogs, the attacks are not over. The current payloads are primarily spam and attacking other sites (using PHP and Perl scripts injected or uploaded to Wordpress sites), but the main point is to infect as many computers and servers as possible to gain more computing power. Now is a good time to secure your Joomla, Drupla, ZenCart, X-Cart, and even HTML (!) sites. It appears the attackers are now experimenting with various SSL attacks, pulling various configuration files, and trying to get into databases, primarily on shopping carts. This may just be another distration though, which is a common tactic in the world of hackers. If the distraction is big enough it will always draw attention away from what you are really doing...

How to Respond to the Global Wordpress Attacks

[CallADeveloper]

I have written a rather detailed article on next steps for anyone affected - which is just about anyone with a Wordpress site. Unfortunately at least 10% of accounts hit have been successfully compromised, and many are being used to send spam or attack other sites. The Global Wordpress Brute Force Attacks of 2013 - http://calladeveloper.blogspot.com/2013/04/global-wordpress-brute-force-attacks.html This includes the method to htaccess block direct automated requests for wp-login.php as well. The attackers have gotten around some fairly advanced countermeasures including mod_security rules so all Wordpress site owners should be following these steps.

Re:How to Respond to the Global Wordpress Attacks

[rduke15]

The useful part of that blog post seems to be:

RewriteEngine on
RewriteCond %{REQUEST_METHOD} =POST
RewriteCond %{HTTP_REFERER} !^http://(.*)?.example.com [NC]
RewriteCond %{REQUEST_URI} ^/wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^/wp-admin$
RewriteRule ^(.*)$ - [R=403,L]

(The logic makes sense. I haven't tested the syntax yet)

It also suggests an insane 30-character password abomination:

for example the relatively strong password: th1$l1ttl3p1ggy$3cur3dth31rW0rdpr3$$$1t3 is simply "thislittlepiggysecuredtheirWordpresssite" with i->1, s->$, e=3, and o->0 (zero)

I prefer "wrong chicken battery staple", which is probably not in attacker's dictionnary.

MY ISP got hacked...

[PoconoPCDoctor]

And the blog I run is for my church. He said he did not know how this happened. Someone hacked a blog running an unpatched Drupal blog. This is what he said, anyway. Then used that breach to hack everything else. Since I could not determine what had been hacked/changed on the church blog, (user accounts wee created that I did not create!) I wiped it, deleted all the databases and started from scratch. So it isn't just crappy blogs - although if you happen to be a godless nerd you may think my church blog is crappy anyway.... B-) I support your right to be a godless nerd.