There is a very real ongoing attack against WordPress sites. We wish we could say this is a new threat, but it’s not, it’s an old security hole. This threat round has been going on for a while now, but it severely escalated in the last month.
There are a lot of blog post about this situation around the web, and we thought we would write this post for two reasons:
- not everyone with WordPress sites follow the WordPress news
- most of the coverage has been either extremely technical or very light on details and recommendations. My goal in this post is to not only inform you about what is happening but why it is happening and what you can do about it.
What was the Problem?
Quite simply this is one or more illegal botnets (a network of probably millions of hacked PC’s that are being exploited to perform attacks, send spam, etc) being used to brute-force attack WordPress sites. The aim of a brute force attack is to try as many username and password combinations as possible in order to find your real login details.
It’s as if someone was trying to guess the combination on a combination lock, but rather than being limited to a single guess every few seconds, they could make thousands of guesses a second while never getting tired.
It’s important to see that this is NOT a person, but a MACHINE. it’s not some little person at a PC typing in passwords!
Why were they doing this?
As described above, probably thousands of botnets were being used to perform these attacks. While the real aim of these attacks is still not unknown, we can assume that the purpose of these attacks is to hack into more systems, thus increasing the size and strength of the botnets.
You can see descriptions of lots of the most common types of hacks and things that botnets can execute. Botnets can be used to shut down websites (most common), compromise security of high security systems (these are the real hackers), be used to commit fraud (looking for your passwords for your bank accounts) , send spam, and a load of other illegal activities.
The reality is that botnets are indeed big business nowadays. In the interest of security of all of us using the internet, it is the responsibility of us all that have WordPress websites to do our little Monkey Bit to prevent our systems from being compromised and becoming part of the problem.
What actually was The Threat?
There are two threats to your sites during this attack: a threat from the login attempts and a threat if a login is successful.
Each time WordPress gets a login attempt, the server’s resources are being used. If the attacker starts to send 100’s and 1,000’s of login attempts a second, the website’s performance suffers.
If the botnet is actually able to login, then your entire website and server could be compromised.
If the user has a role of Administrator, this opens up the ability for the attacker to modify anything on your site. They could add new files, modify existing files, add additional users in case the password of the compromised user is changed, inject malware into the output of your site, turn your hosting account into a spam bot, and anything else the attacker could possibly desire using a random server for.
How is this actually done?
These attacks were focused on trying to figure out the password for the “admin” user. 99% of the login attempts that have been recorded have been for the “admin” user. The rest of the other guesses are for usernames of “administrator” or “Admin”.
There were a few that try using the domain name as the username. For example, it would try guessing “armyofflyingmonkeys” if trying to log into the armyofflyingmonkeys.com site.
The bots are also trying some other usernames, “editor” and “moderator”.
They are also using fairly simple passwords as a guess. We all know that people have a very bad habit of having very weak passwords. Unfortunately, the passwords that are easy for us to remember are for sure easy to guess.
Look at the most common passwords guessed by these botnets, these passwords come out on top as the most frequently guessed ones:
Definitely nothing but a pattern of basic English words and easy to type letter or number sequences. These are being used frequently because they are likely to work on the biggest number of sites. In other words, they are being guessed because (soem really silly) people still use such passwords.
What to do?
It would be a good idea to not have any users with a username of “admin”, “editor”, or “moderator” on your site.
“NO CHANGE THERE THEN!” shouts our Chief Security Monkey!
Yup, as simple as that! We haven’t allowed anything THAT silly by any of our clients for years. Hence this botnet hiccup didn’t hit ANY of our Army Websites… Simple huh?