Slashdot Mirror

← Back to Stories (view on slashdot.org)

Wordpress Sites Under Wide-Scale Brute Force Attack

Posted by Soulskill on from the pressing-all-the-words dept.

New submitter NitzJaaron writes "Some of us have been experiencing attacks on Wordpress sites for the last few days, but it's now beginning to be widely reported that there's a fairly large brute force attack happening on Wordpress users on multiple hosts, including HostGator and LiquidWeb. 'This attack is well organized and again very, very distributed; we have seen over 90,000 IP addresses involved in this attack.' CloudFlare has announced that they're giving all users (free and paid) protection from said attacks with their services. 'The attacker is brute force attacking the WordPress administrative portals, using the username "admin" and trying thousands of passwords.'" Further reports available from Immotion hosting and Melbourne server hosting.

9 of 110 comments (clear)

  1. Seems like..... by n3tm0nk · · Score: 3, Insightful

    something they should have been prepared for in the first place......

    1. Re:Seems like..... by jakimfett · · Score: 5, Informative

      Yet another reason to specify a non-default administrator username in the original install. And to use passphrases instead of passwords. Easier to remember, and there's almost no way to brute force a thirty character password.

      --
      Bits of code, random ramblings: jakimfett.com
    2. Re:Seems like..... by Electrawn · · Score: 4, Informative

      No, the wp-admin folder is rather hard coded.

    3. Re:Seems like..... by Zamphatta · · Score: 3, Informative

      And it's another reason to temporarily lock out an account from logging in, if there's too many wrong guesses at the password in a very short period of time. There might be a Wordpress plug-in for something like that, but I don't think it's in Wordpress's core, and it really should be in the core of any web system. It adds tons of security all by itself.

  2. limit login attempts by interkin3tic · · Score: 5, Insightful

    advising all our clients who use WordPress to install an additional plugin 'Limit Login Attempts' that will help to prevent brute force attacks

    Not being familiar with wordpress, I'll ask why isn't that on by default?

    1. Re:limit login attempts by preaction · · Score: 5, Insightful

      Because it increases the number of support requests dramatically.

    2. Re:limit login attempts by sabt-pestnu · · Score: 3, Insightful

      >>advising all our clients who use WordPress to install an additional plugin 'Limit Login Attempts' that will help to prevent brute force attacks

      > Not being familiar with wordpress, I'll ask why isn't that on by default?

      What could be a simpler way to deny an administrator access to his own account than by a "limit login attempts" that limits attempts on a per-account basis (vs a per-IP address basis)?

      And if the attack is "one attempt per site per zombie", limiting on a per-IP basis has no teeth.

      <ignorant_speculation>Of course, if you have created an admin account that's not NAMED admin, you won't be locked out. And if you change the account named "admin" to having lower privileges, even better.</ignorant_speculation>

  3. Re:Little do they know... by Quirkz · · Score: 5, Funny

    That's why I changed mine from username 'admin' with a blank password to password 'admin' with a blank username. They'll never guess that one!

    --
    The Quirkz Handbook of Self-Improvement for People Who Are Already Pretty Okay
  4. How to Respond to the Global Wordpress Attacks by CallADeveloper · · Score: 3, Interesting

    I have written a rather detailed article on next steps for anyone affected - which is just about anyone with a Wordpress site. Unfortunately at least 10% of accounts hit have been successfully compromised, and many are being used to send spam or attack other sites. The Global Wordpress Brute Force Attacks of 2013 - http://calladeveloper.blogspot.com/2013/04/global-wordpress-brute-force-attacks.html This includes the method to htaccess block direct automated requests for wp-login.php as well. The attackers have gotten around some fairly advanced countermeasures including mod_security rules so all Wordpress site owners should be following these steps.