Spring Brings Brute Force Attacks on Wordpress sites

2013 Botnet Attacks on Wordpress based websites

Around mid-April news of attacks on WordPress based websites was spreading fast. Described as brute-force attacks, these botnets are intent on gaining access to websites by repeatedly hammering away at the administrative login. Some sources reported the April 2013 attack as being the worst ever.

The botnet’s job is to attack your WordPress login in an attempt to get the right combination of username and password that gets them logged in as the website administrator. In case you’re not quite grasping the seriousness of this, it means if they gain access they are LOGGED IN AS YOU or whoever your site administrator is.

What are Botnets?

I’m not going to get into a bunch of techno-mumbo-jumbo of what a botnet is or does. If you want more info, here’s a link to the Wiki for the definition of Botnet. The condensed version is that botnets are a network of thousands of computers used as a tool by hackers for their no-good purposes. This particular attack has been reported as being sophisticated, well-organized and to be coming from more than 100,000 computer IP addresses.

What Happens if Hackers Get In?

It’s a free-for-all and the balls in their court. Are you scared yet? You should be.

With administrative access to your site, they can do everything the administrative account holder can do. Although I could find no evidence of this particular attack modifying your files or making changes to your site, it is something that hackers have been known to do and they won’t care what your site looks like or what it says when they’re done. They may steal your data and if you store credit card or other personal information this can be particularly troublesome, use your hosting account to hack into other sites on the same server or go on a spam spree using YOUR email address. Some sites have been infected with malware after being hacked. Whatever the purpose of any attack is, if successful I assure you that the results won’t be pretty and can be quite damaging and expensive to fix.

Do These Attacks Cause Other Problems?

Yes. They drain server resources and your site’s performance suffers from the constant login attempts. Think jackhammer — brute-force attacks attempt to login more than a 100 times per second. Furthermore, depending on your hosting service your site could be shut down completely for using more than its share of the server resources.

Is This Kind of Attack New?

Absolutely not, and it didn’t surprise me one bit to hear of it. According to what I found, the first reported large scale attack of this nature occurred in October of 2012 when wordpress.com reported that 50,000+ websites had been similarly compromised.

Why WordPress?

There are so many websites built on WordPress that it’s a common target for hackers and so I firmly believe that one can never be too careful with WordPress sites.

Although I take security precautions when setting up a WordPress site, I never consider any preventative steps to be 100% hacker-safe. Think about it. You pretty much can’t read or listen to the news anymore without there being some reported instance of Internet infiltration somewhere. Security breaches, online identity theft or banking fraud are often news headlines.

I never assume that even with the precautions I take that mine or my client’s sites are immune to being bot-zinged or hacker-ized. Hackers have nothing better to do with their lives and get their jollies from hurting people. They live and breathe to find workarounds to the security workarounds. I do not foresee this changing in my lifetime and you’d have to be living under a mushroom to not see that it’s quite obviously getting worse as time passes.

An Ounce of Prevention

Website owners need to be pro-active in order to help protect their investment. For the most part, this attack follows a pattern of targeting common, generic and easy to guess usernames such as; admin and variations of admin, moderator, qwerty, 123456 and usernames that have a rhythm to them.

If you have more than one website, do not use the same login credentials for multiple sites. Doing so only makes it easier for the botnets to be successful.

I can’t urge you enough to get creative with your usernames and security minded with your passwords. I stopped using admin-like usernames and easy to remember passwords a very long time ago. Not wanting to be bothered with having to go look up their login credentials, website owners want simplicity. They want to use their pet’s name, their kid’s names, their birthdays and other simple passwords which allow them quick and easy access. My response to this is, if you have quick and easy access – so do the hackers.

I suggest you read this from the WordPress Codex on brute force attacks and Passwords and Brute Force written by Matt Mullenweg which is a quick read that will show you how to change your usernames and passwords.

Leave a Reply

Your email address will not be published. Required fields are marked *