WordPress blogs and more under global attack - check your passwords now!

Filed Under: Botnet, Featured, Security threats

If you have a web service that supports remote users, you will know that malevolent login attempts are an everyday occurrence.

Even on my own home-hosted SSH server, listening unassumingly on an IP number on a DSL line, I've seen thousands of login attempts from dozens of different IP numbers in the course of a single day.

But hosting providers worldwide are reporting that they've been seeing systematic attempts, over the last 48 hours or so, to breach blogs and content management systems (CMSes) at well above average levels.

The primary target seems to be WordPress, with Joomla users also reportedly getting a bit of a hammering.

Word from the anti-DDoS world is that a botnet is responsible, with estimates of "up to 90,000," "more than tens of thousands," and "up to 100,000" infected computers (all those figures can be true at the same time, of course) orchestrating the felonious login attempts.

Since it would take too long to try every possible username and password on every known WordPress or Joomla server, this onslaught is using what is known as a dictionary attack.

That's where a crook settles on a list of the most likely usernames and passwords, and tries those in quick succession.

The idea is simple: automate the password guessing, speed up the attack, and don't spend too long on any individual site.

Look for the low-hanging fruit, and harvest it as quickly as you can; if you can't get in within a few hundred or thousand attempts, move on to the next potential victim.

It's doorknob rattling, but on an industrial and international scale.

Tireless cybercrime and underweb reporter Brian Krebs has published a list of sample WordPress usernames and passwords used in this attack, courtesy of security breach cleanup company Sucuri.

The top thirteen generically-chosen dictionary entries for username and password are as follows:

It's worth a look at the list (click on the image above), if only to reassure yourself that you haven't taken chances with any of your own passwords.

Notice also that the attackers are focusing on the username admin, used in 90% of the login attempts, because it's the default WordPress administrative username.

A username shouldn't be considered a secret (that's what the password is for), but you can avoid unwanted attention from low-hanging-fruit attacks by choosing something other than the default, as WordPress founder Matt Mullenweg himself advises.

Matt's suggestions are pithy and clearly put, so I'll repeat them here; they make up good advice for any web service product, whether you're blogging, file sharing, or running a CMS:

Almost 3 years ago we released a version of WordPress (3.0) that allowed you to pick a custom username on installation, which largely ended people using "admin" as their default username. Right now there’s a botnet going around all of the WordPresses it can find trying to login with the "admin" username and a bunch of common passwords, and it has turned into a news story (especially from companies that sell "solutions" to the problem).

Here’s what I would recommend: If you still use "admin" as a username on your blog, change it, use a strong password, if you’re on WP.com turn on two-factor authentication, and of course make sure you're up-to-date on the latest version of WordPress. Do this and you'll be ahead of 99% of sites out there and probably never have a problem. Most other advice isn't great — supposedly this botnet has over 90,000 IP addresses, so an IP limiting or login throttling plugin isn't going to be great (they could try from a different IP a second for 24 hours).

There you have it.

Not being the low-hanging fruit isn't a generic solution to this problem, as it's a bit like outrunning your buddy when you are chased by a hungry lion: it saves you, but leaves someone else to take the hit.

But that is no reason not to move your fruit to higher branches.

Remember that if someone breaks into your server, that's bad for you, but it is also bad for everyone else.

It gives the crooks a free ride for hosting malware, launching further attacks, publishing phishing pages, disseminating fake updates or bogus information, and much more.

All with your imprimatur, and, in the end, with your services blocklisted by anyone who's security conscious.

Remember, password-guessing attacks of this sort happen all the time.

The attack volume in this case has been sufficient to attract global attention, which is a good thing, but it's currently thought to be only about three times the usual level.

In other words, even when "normal service" is resumed, we'll all still be firmly in the sights of the cybercriminals, so take this as a spur to action!

Image of Dictionary with magnifying glass courtesy of Shutterstock.

, , , , ,

You might like

14 Responses to WordPress blogs and more under global attack - check your passwords now!

  1. htptc · 564 days ago

    Interesting...Thanks!

  2. whitedemonicaa · 563 days ago

    Could this be why I can't log in to my own self hosted wordpress?

    • Paul Ducklin · 562 days ago

      It could be, if the crooks got in and changed your password.

      If you'd made a decent password choice, then you could be having trouble logging in due to higher-than-usual load (caused by the password guessing attempts) but since the attack was only at 3x usual password guessing levels, it would probably just be slow or unreliable, not impossible, to login...

      (Sorry for the nebulous answer. Hard to know from out here...)

      • whitedemonicaa · 562 days ago

        Should have been at tad bit more specific sorry there. See when I try to login my browser gives me a really weird error, it's not telling me I got the wrong password or anything it just keeps giving me this.

        "Error Log Dump

        minoanpenman.com

        Error 324 (net::ERR_EMPTY_RESPONSE): The server closed the connection without sending any data.

        End
        #"

        And it's only when I DO try to login and it keeps me from accessing the site for about an hour.

  3. new-js · 563 days ago

    My wordpress is installed on Linux. Where would I check for incorrect logins? On the OS or within WordPress?
    Thanks

    • Paul Ducklin · 562 days ago

      It's actually worth checking WordPress *and* your system logs regularly, just in case.

      (As I mentioned in the article, I don't run WP but I do see a lot of password guessing attempts on SSH. Sadly, automated probes cost little or nothing, so you should assume that someone is rattling all the doorknobs you have...and all the doorknobs they think you might have...morning, noon and night.)

  4. Jacobian · 563 days ago

    just use the plugin wp-better security to disguise the login form. and blacklist any ip that has too many 404. this is a good security measure

    • Paul Ducklin · 562 days ago

      I'd start with a decent password, though :-)

      Problem with a remote admin login screen is that it is supposed to be accessible from outside, so disguising it (like changing the administrative username away from "admin") only gets you so far.

  5. It's hackers trying to get in to setup Bitcoin miners on your computers.

  6. Jon · 562 days ago

    I have my own dedicated server hosting my WordPress sites. I'm protected against this kind of thing because, long ago, I setup an Apache pre include block. If anyone tries to access my wp-admin folder or the wp-login.php page, it fails with a 403 error. This does use some of my server's apache resources, but it doesn't involve PHP whatsoever, so it's really a great solution. My own personal IP addresses are whitelisted in the same block, so I of course can access any of my WP dashboards.

    If my IP addresses change, I just have to edit the Apache pre include block and restart Apache.

    You can also do something similar with .htaccess if you're on shared hosting, or don't have access to edit Apache at the server level.

  7. Jim S. · 562 days ago

    Very timely and straight-forward article!

    Thanks!

    I would heavily suggest that adding a "capcha-check" to the "log-in" screen become an available, built-in option. This feature is something sorely lacking and a good capcha checker (or something just as effective) could easily cut down a lot of this nonsense! As it stands now, seems the only way to have that feature, is by installing yet another "plug in".

    Seriously, I think there are certain features that would do very well for WordPress users, if only they were a part of the installation.

    - Just my "two cents".

    - Jim.

  8. Rory · 562 days ago

    Go vbulletin and save yourself from all this hasstle. Ive a vbulletin forum and i do see attempts made at user accounts, like who does'nt. But vbulletin is alot stronger and far more secure.

  9. Much useful info. Well, it's better to take all the precautions like keeping a strong password and changing it from time to time and using a security plugin like wp better security etc Tweeted !

  10. Zach Smith · 490 days ago

    great post - subscribing to rss now :)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog