Since 12 April 2013, the WordPress blog system world-wide is facing its most serious coordinated brute force attack. Some WordPress hosts have reported that they have blocked as many as 60 million requests against their hosted WordPress customers in a single hour.
This attack, which targets administrative accounts, appear to be coming from a sophisticated botnet that may have as many as 100,000 computers, based on the number of unique Internet addresses the attacks are coming from.
…And Internet security experts have estimating that the botnet has the power to test as many as 2 billion passwords in an hour.
WordPress users should always make sure that their passwords, especially for admin accounts, are long and not guessable from a password list. Of course, that’s good advice for just about any password you use, but it’s especially applicable right now.
While it’s difficult to tell what the aggressor is trying to accomplish with this current round of password cracking, the consequences could be disastrous. It has been suggested that the perpetrator could be trying to upgrade a botnet composed of ordinary PCs into one that is made up of servers.
Last year, a brute force attack against Joomla sites created a server-grade botnet, created with a tool called Brobot, that overwhelmed US financial institutions with DDoS attacks.
One risk is that personal bloggers that set up WordPress installations might not have thought to set up a highly secure password. However, it’s not just the blogger’s posts that are at stake, as the attacker could potentially use the login to gain access to the hosting server, a more valuable prize that could cause even more damage.
This botnet is going around all of the WordPress blogs it can find trying to login with the “admin” username and a bunch of common passwords.
If you still use “admin” as a username on your blog, change it, use a strong password, and better still change the name of the admin account to something else, which will certain block the botnet attack.
I personally run 7 WordPress blogs, excluding this GERGABlog, and a year or so ago, after a attack crippled 3 of the sites, I removed the default “Admin” account and had set very strong passwords on all of them.
On Friday evening I installed a small plugin, recommended by my hosting company, which blocks an Internet address from making further attempts after a specified limit of retries is reached. I set the plugin to log all Internet Addesses that had been locked out, and after barely 30 minutes, 3 of my 7 blogs had logged more than 5 Internet addresses that has tried to attack my blog and had been locked out. I could see that the attack was underway and was very glad that my paranoia had paid off!