A brute force attack started last week and is targeting WordPress installations around the globe. The attack is not only performed by a few hosts but by a network of over 90,000 IP addresses.
A brute force attack is a method to gain login information. In this type of attack, discretion and efficiency plays no role at all. It involves going through a sequential search for login information. Through all these login attempts, the attack also increases the resource usage of the website. Once the login information have been acquired, a backdoor is usually installed and the host is then used as one more point from which brute force attacks can be carried out (the backdoor lets the attackers control the site remotely). Sometimes the backdoor is kept in there for a while without any other noticeable activities waiting for a larger attack to be launched.
In this concrete case, the attackers try to gain access using the default WordPress administrator account “admin” and try thousands of passwords. CloudFlare and HostGator reported a large scale attack. ClouFlare claims to have blocked 60 million requests just in an hour.
If you have a WordPress site, I’d suggest to:
- make sure both you Operating System and WordPress installations are up-to-date.
- not use “admin” as you administrator user name. Both the username and the password protect your site. If an attacker can easily find the username (because it’s ‘admin’ or ‘root’), then half the job is already done.
- make sure the password is strong enough.
Additional security measures can include:
- use some a Content Delivery Network with built-in security (like CloudFlare) or a security proxy (like Sucuri).
- use Two-Factor Authentication.
- limit the IP addresses which can access the login page.