The Brute-Force Password Attack on WordPress Sites

My mother emailed me and asked if WordPress was under attack. With all the news of last week’s attack of the Boston Marathon, the attacks on WordPress and other PHP-based web publishing sites was low on the priority list for myself and others, but this is something to take seriously. As we get back to some form of normalcy in this trigger-happy, frighting world we live in physically and virtually, it’s time to address this issue of brute-force attacks on WordPress sites.

Here is what you need to know right off the top.

• WordPress is safe.
• The brute-force login attacks are not aimed specifically at WordPress. Reports are that Joomla, Drupal, and other publishing platforms are also being attacked.
• The attack is directed specifically at logins, making use of vulnerable usernames and passwords.
• To ensure your site’s security, make sure all usernames and passwords are alphanumeric and complex enough not to be guessed easily.
• Do not share your username and password with anyone, even those you trust. Use your best judgement. Be cautious to the point of paranoia when accessing your site on shared or public networks and computers.
• Check that all WordPress sites, Plugins, and Themes are up-to-date with the latest stable release of WordPress. No excuses.
• If you or a client cannot log into a site or report an error when trying to log in, contact the web host immediately. Some web hosts have locked down direct access to the WordPress login file to protect customers until more information and a resolution can be found to strengthen login protection on their servers.
• If you are on WordPress.com, your site is secure, however your password may not be. WordPress.com forced new users to choose a unique username several years ago, and their sign-in encourages strong passwords, but it is up to you to make sure your password is strong enough.

How to Protect Your WordPress Site

All web-based sites with logins are vulnerable, not just WordPress. Here are the tips you need to know to help you secure your WordPress site.

An article on the WordPress Codex, the online manual for WordPress Users, called “Brute Force Attacks” spells out what you can do from the simple to complex to protect your site from such attacks in the future. Here is a summary:

• Don’t use “admin” as your username.
• Create a strong password that is longer than 8 characters and includes an alphanumeric combination with symbols (Don’t use “admin” as your username.
• Create a strong password that is longer than 8 characters (12 is better) and includes an alphanumeric combination with symbols (!@#$%^&*).
• Use a Two-Step Authentication feature on WordPress. If you are on WordPress.com, turn on this verification feature by going to the Administration Panels > Security and using the new wizard that will step you through the process. Self-hosted sites may use the Google Authenticator WordPress Plugin. This requires a smartphone or phone with SMS text messaging. (Note: The goal is to add this feature to the JetPack WordPress Plugin in the future.)
• Consider a WordPress Plugin that further protects your site from login abuse.
• Protect your server based upon recommendations by your web host (as not to duplicate or contradict their efforts) with scripts and additional password layers (not for the non-coder).
• Check the file permissions of all the files and directories on your server to ensure the file permissions are set properly and no file is exposed inappropriately.
• Consider a WordPress Plugin that further protects your site from login abuse.
• Protect your server based upon recommendations by your web host (as not to duplicate or contradict their efforts) with scripts and additional password layers (not for the non-coder).
• Check the file permissions of all the files and directories on your server to ensure the file permissions are set properly and no file is exposed inappropriately.
• This is not a “new” attack as in this type of attack has been tried before. The difference is that this is now and the attack is more concentrated and wide-spread.

In addition to that article, I recommend “Hardening WordPress” on the Codex to help you understand more about the security issues in and around WordPress, especially for web designers and developers.

An article by noted WordPress expert and author, Morten Rand-Hendricksen, stated that while the default login for self-hosted installations of WordPress continue to set the default user name as “admin,” moves are afoot to change this permanently to let users set a unique username to encourage greater security.

If you installed WordPress a while ago, go right now and change your username. Tell your friends, neighbors, co-workers, and online buddies to do the same. Let not a risky username or password put your site at risk.

Without a doubt, the biggest security risk to your site is you. Doesn’t matter if your site is on WordPress, Drupal, Joomla, Blogspot, or another publishing platform. In “WordPress – Understanding its True Vulnerability,” Tony Perez of Sucuri Security Blog described it beautifully:

The WordPress core development team and review process has matured tremendously over the years, such that they deserve accolades for their ability to push timely patches when security issues are identified. Although inefficiencies still exist in a number of areas, the greater issue we want to focus on is the end-user responsibilities.

Why so many infected WordPress sites then?

Today what we find is that no longer is the application the true cause, the paradigm has shifted, and now the end-user is often the vulnerability.

We are in the age of websites for all, for a low yearly fee of $34.99, and easy hosting plans starting at $5.99 a month. It is no longer necessary to hire development firms to offer overqualified resources to apply updates and make content changes. Pffff, I can do that myself. What is an update anyway?

Unfortunately, as sarcastic as that may sound, it’s the sad truth. Everyday we fight malware, Monday – Sunday, midnight to midnight, and the trend is getting stronger. End-users are sloppy, everyone is anxiously jumping at the opportunity to use an application like WordPress for their blogging and website needs, with little regard to the dangers of the interwebs. When a hack occurs, as is human nature, the first thing is to look at everything but the yourself, in this case WordPress.

…What most website owners do not understand is that what makes WordPress so useful and cost-effective is also its biggest weakness. WordPress is a highly extensible application that allows your average Joe to easily make changes, add features and manage content. This ease of use, while great, puts a tremendous amount of responsibility on the end-user, so much so that they are often the root of their own problem.

Thought of the day: The WordPress team is doing their part to ensure your security on the web, can you say the same thing?

It’s the truth. WordPress developers do everything they can to make WordPress easy to use. It’s up to you to take a moment to do the two most important things you can do to make WordPress secure: Create a defensible username and password.

I wrote about brute-force attacks on WordPress logins last year recommending to all to get serious about making your usernames and passwords stronger. A year later I’m singing the same song. Let’s hope that this time people listen.

The following are more articles with tips and techniques for improving the security of your WordPress site. Note that some of these are highly technical articles and some steps should not be taken without cooperation of your web host – who might appreciate your paranoia as it protects them as well as you.

• Selecting a Strong Password — Support — WordPress.com
• Passwords — Support — WordPress.com
• Greater Security with Two Step Authentication — Blog — WordPress.com
• How to Protect Your Blog with a Solid Password – Lorelle VanFossen on Blog Herald
• Resetting Your Password « WordPress Codex
• Change your WordPress admin Username – DigiTalk Online
• How to Change your WordPress Username – WPBeginner
• Change Your Username — Support — WordPress.com
• WordPress › Support » Brute Force Attack WP Release Admin (Info on updating an older site in light of this attack)
• Stopping Brute-force Logins Against WordPress – Frameloss
• WordPress under attack: How to protect yourself | lynda.com blog | lynda.blog
• WordPress Brute Force Attacks: Protect Yourself Now – CodeGuard Blog
• Global WordPress Brute Force Flood | HostGator Web Hosting Blog | Gator Crossing
• Defending WordPress Logins from Brute Force Attacks – SpiderLabs Anterior
• Protecting Against WordPress Brute-Force Attacks | Sucuri Blog
• Ongoing WordPress Security Attacks, The Details and Solutions | iThemes
• WordPress ModSecurity Rules | Liquid Web Knowledge Base
• WordPress Login – Brute Force Attack « HostGator.com Support Portal
• Technokarak Explain – Brute Force Attack against WordPress Blogs – Technokarak.com
• Some Advice On Securing Your WordPress Site | Lifehacker Australia
• How to Protect Your WordPress Sites from Brute Force Attacks (1 Simple Step)
• About ModSecurity Collections and Limitting Requests – Web Security Blog at jwall.org

The Story Behind This Year’s Brute-Force Attacks

I first learned about the recent attacks on April 10, 2013, when my friend, Michael Hampton of Bad Behavior fame (the WordPress Plugin and other PHP-based publishing platforms add-on determined to prevent comment spam and evil) noted brute-force login attacks were increasing against WordPress sites:

Over the past day or so I’ve seen close to 1,000 brute force login attempts at my own WordPress sites originating from botnets. Other sites are being hit even harder.

…These attacks appear to be originating from two distinct botnets, each with its own distinguishing characteristics…In both cases, the attacks attempt random passwords and passwords with patterns such as qwertyuiop or 123123. If you have a password that might have such a pattern in it, you should change it immediately.

I hate to say this but I do so proudly. When it comes to evil doers on websites, especially WordPress, Michael Hampton is your go-to guy. I used the first test version of the Bad Behavior WordPress Plugin on my site many years ago, and continue to support and encourage it with my clients. Combined with Akismet, it creates a force to be reckoned with for protecting your site. According to Micheal’s tests, Bad Behavior is working to protect sites from this bot, stopping it at the gate before it can get through. He’s also working to contribute information on the source so the people behind this can be caught and hopefully prosecuted.

On April 12, Matt Mullenweg reassured everyone that updated WordPress sites were fine and protected from such attacks – protected as far as WordPress can go as usernames and passwords are the responsibility of the user. If the user has used a poor username choice such as “admin” and a password such as “password,” 123456789, or asdfghjkl (or another row of keys), their sites are vulnerable.

Right after Matt’s announcement, WordPress Support Forums moderator Mika Epstein posted a sticky post to the forums reporting on the brute-force attacks and login issues.

By April 11, the news was spreading, especially after reports of the attacks were announced on several web hosting sites and security services. Sucuri created “The WordPress Brute Force Attack Timeline” as they covered the story live, updating it as fast as they received updates and information.

In their early reports, Sucuri, a leading web security blog and service, reported on how to protect your WordPress site against these brute-force attacks. Their report is the most extensive and factual on this attack, and they have a long history of monitoring security issues with WordPress and other evil on the web.

Their initial report stated that the “the number of scans detected almost tripled from the old averages, increasing from around 30,000 scans per day to around 100,000 per day in April.” In their timeline, the corrected this, saying the numbers are larger than originally thought. By April 11, the number of scans increased 30x the average to one million, which they explain in charts called the WordPress Brute-Force 15 Day Distribution.

So yes, what started as a blip turned into a large-scale attack in a short 24 hour period. To undermine the scale of the attack would be a mistake, but to over speculate on intention is just as a grave a mistake. Fortunately, we do have more data on the IP ranges, usernames and passwords being used. For the most part it’s remained pretty consistent, that’s good to know as it makes some of the preventive techniques being discussed in various forums fairly effective.

The timeline of the brute-force attacks reveals the username distribution, the names used by the bot to force its way into site logins. The most popular usernames are admin, sysadmin, manager, adm, user, admin1, querty, rot, aaa, support, administrator, and test. The username “admin” was by far the most commonly tried, often successfully.

They also cited the passwords used, common passwords such as “password” and “123456” and variations thereof. Surprisingly (or not), the most common password was “admin,” revealing how little people often think before choosing a password.

Sucuri’s article also cited an October 2012 issue when WordPress.com disclosed that about 50,000 sites were compromised during a similar attack, mentioned by Matt in his recent blog, which caused WordPress.com to step up their login security methods.

Indeed, InformationWeek’s Security column reported on a group targeting US bank sites in December 2012 with a similar brute-force attack against all PHP/Web apps and platforms including Joomla and WordPress. The intent of these attacks on already attacked, vulnerable, and unmaintained sites were to gain a “foothold” on the server to install “attack toolkits” in order to deploy further attacks, reaching out in multiple directions, using what data and access they could find.

The group that began targeting U.S. bank websites in September launched their large-scale, distributed denial-of-service (DDoS) attacks via a number of PHP-based websites that they’d previously exploited.

That finding comes from Arbor Networks, which said that attackers had compromised numerous PHP Web applications, such as Joomla, as well as many WordPress sites, many of which were using an outdated version of the TimThumb plug-in. After compromising the sites, attackers then loaded toolkits onto the sites that turned them into DDoS attack launch pads.

…The scale of those DDoS attacks disrupted the websites of leading Wall Street firms, including Bank of America, BB&T, JPMorgan Chase, Capital One, HSBC, New York Stock Exchange, Regions Financial, SunTrust, U.S. Bank and Wells Fargo. That was despite the attackers previewing which sites would be attacked, as well as the date and time their attacks would commence.

HostGator, one of the most popular web hosting companies, described the attack as:

…an on-going and highly-distributed, global attack on WordPress installations across virtually every web host in existence. This attack is well organized and again very, very distributed; we have seen over 90,000 IP addresses involved in this attack.

Liquid Web and other web hosts pointed to a powerful script by Frameloss to block such attacks with a Modsecurity script created in 2011 to thwart similar attacks, proving that this type of attack isn’t new. Many web hosting services are just now paying more attention to such attacks.

As of April 15, 2013, the US-CERT (United States Computer Emergency Readiness Team) announced the targeting of WordPress by the “mass brute-force botnet attack, warning all hosting providers to take action to protect their customers’ sites. Like many US government agencies, the report is incomplete and intimidating by its lack of important information, however it does provide links to government resources for best practices and risks all web designers, developers, and administrators should know.

Discussion about the brute-force bot attacks were flowing freely around the web on social media and technology sites until the Boston Marathon attacks last week. Reddit had several discussions on the brute-force attack involving WordPress and Joomla. You can catch up with the discussions on “Major brute force attack against WordPress underway,” “Happening now – Brute force attack on WordPress and Joomla powered sites,” and “Mass WordPress Brute Force Attacks? – Myth or Reality,” among others. Note that some of these discussions are “blacked out” as part of the stand against the Cyper Intelligence Sharing and Protection Act bill in the US House of Representatives.

More information and news on the brute-force password attacks include:

• Mass WordPress Brute Force Attacks? – Myth or Reality | Sucuri Blog
• When Good Plugins Go Bad – SEO Spam on Joomla Websites | Sucuri Blog
• WordPress Plugin Social Media Widget Hiding Spam – Remove it now | Sucuri Blog
• WordPress, Joomla Sites Under Brute-Force Password Attack
• Check your security settings: Brute force attacks against WordPress and Joomla sites have tripled – The Next Web
• Hackers Using Brute-Force Attacks to Harvest WordPress Sites | Threatpost
• Mass WordPress Attacks Spread, Brute-Forcing Admin Passwords
• WordPress accounts are under botnet attack – Technology on NBCNews.com
• WordPress Sites Targeted by Mass Brute-force Botnet Attack : netsec
• WordPress attack highlights 30 million targets | ZDNet
• WordPress hit by massive botnet: Worse to come, experts warn | ZDNet
• Brute Force Attacks Build WordPress Botnet — Krebs on Security
• Brute Force Attack Targets WordPress Sites With Default Admin Username | Lifehacker Australia
• WordPress Under Attack: How To Avoid The Coming Botnet – Forbes
• Hackers Point Large Botnet At WordPress Sites To Steal Admin Passwords
• WordPress Says Reports Of Brute Force Attacks Are Exaggerated
• Global Brute Force Attack on All WordPress Blogs
• Massive Brute-force attack Targets WordPress sites worldwide | Hacker News | Security | Technology
• Brute force attack on WordPress and Joomla powered sites – Melbourne Server Hosting

Why? Why Attack Site Logins?

The first thing people blame in situations like this is WordPress. Just as banks and financial institutions, government sites, and others have been attacked in the past, WordPress is not exclusive to this brute-force attack. Any site with a weak access and login is vulnerable.

Why focus on WordPress?

While the actual numbers are hard to determine, Matt Mullenweg told the Wall Street Journal last year that 1 in 6 websites globally are on WordPress, and estimates are that in the United States, 1 in 4 are on WordPress, and many of these sites have not been updated, putting them at risk from more than just this attacking bot.

With so many individuals, businesses, and governments on WordPress, “WordPress is becoming more like Microsoft – a target,” a WordPress friend said, asking not to be identified. This doesn’t mean WordPress isn’t vulnerable. It means that WordPress isn’t always the only thing in the blame game, a game I find fascinating as people struggle to come to terms with things outside their control.

Liquid Web, a managed web hosting service, announced the brute-force login attacks to their customers on April 11 explaining why WordPress was a target, even though other publishing platforms were also being attacked:

WordPress is a popular publishing platform which is known for its robust features, numerous templates, and large support community. Unfortunately, due to such popularity, WordPress is also constantly subject to attempts at exploiting vulnerabilities.

Joomla and others are being attacked. With WordPress so popular and many web hosts now basing their business on hosting WordPress sites, it’s just easier, and good marketing, to call this a “WordPress brute-force attack.”

Web hosts around the globe are “rolling out patches” and taking steps to protect their servers and their customer sites, becoming the “good guys” in this scenario. Attacks like this have been around for a couple of years and solutions to prevent them have also been around and easy to implement.

Don’t be fooled. This is an attack on every PHP-based website.

With all of the focus on WordPress, I fear web hosts and the media is not getting the word out to Joomla, Drupal, and other publishing platform users that their sites may be vulnerable as well.

If your site is on Joomla or another publishing platform, ensure your web host has taken steps to protect it unless you can do so yourself. Change your username and password while you are at it, and tell a friend.

As Matt Mullenweg described so eloquently:

Right now there’s a botnet going around all of the WordPresses it can find trying to login with the “admin” username and a bunch of common passwords, and it has turned into a news story (especially from companies that sell “solutions” to the problem).

To be fair, the third-party programs, apps, applications, systems, and platforms that support WordPress are also vulnerable, often not making front page news. Earlier this month, an attack against tens of thousands of websites hosted on Apache server-based machines were attacked with reports of 20,000 websites infested by the “Darkleech” malware exploitation. PHP, JavaScript, and other supporting code are often targets of attacks. WordPress developers and friends work overtime to ensure that WordPress is as protected as possible from these back door access points, but they can only do so much when WordPress is bypassed and the attack is directly at the server or something that has nothing directly to do with WordPress.

Which begs the question: Do you trust your web host to protect your site?

The responsibilities of web hosting services has changed, and will change even more in the future as the onus is now on them to maintain, update, and protect their customers’ sites from such attacks. In the old days, web hosts left such updates and protect to the customer as the customer was usually the web designer and developer, supposedly someone with experience to know how to protect and secure a website. Now that the customer is a next door neighbor, someone not qualified to know the difference between .htaccess file and JavaScript. The responsibility for protecting your site and their servers must be the duty of a good web host. We hope.

Tony Perez and the Sucuri team dug deeper into the why with a good look at the reasons and consequences of these brute-force attacks, moving past the idea that this was exclusively targeted at WordPress sites. In the bank and financial institution attacks a few months ago, the hackers wanted to disrupt services, make a mess and find a way to slip in and possibly access account information. While common, everyday websites usually don’t carry personal and private information someone could use for gain, if the hack leads to access to servers, networks, and home and company computer systems, the door is open to more than just login information data collection.

Perez monitored many online discussions trying to identify the purpose of such attacks and finding few clues. “Because they can” is often heard, as well as thoughts that this is just a practice run for global and government take-downs and disruptions, global conspiracy and cyber-terrorism plans in the works. Perez tries to make sense of it all:

There are many things that can be done once access is gained, the creation and distribution of a large botnet is but one of them. In our experience these are the two things we know happens, in many cases, once an environment is compromised…

Once the attacker does gain access they have to figure out what to do. Do they wait? Do they inject a shell? Do they create new accounts? What kind of malicious payload do they add to the site? Do they want to sell access to the site? These are but a few thoughts running through their heads. Each one though will dictate a different approach and infection unfortunately.

…What this also tells us is that the creation of a large botnet for a similar DDoS attack, while plausible, is one of many various scenarios. The reality being that no-one really knows the objective, except for the attacker[s]. Is there an end-game? Isn’t there always? Will it be nefarious? Yeah, of course, but there are just too many possible scenarios at this point.

The one thing that is probably more realistic than anything else is the shear value that this data will have in the underground. Imagine a new updated wordlist, not only with the latest usernames and passwords, but the website link itself.

Can I get a cha’ching? But again, only speculation…

Whoever said information is money was right. While the information seems useless when examined in the micro, consider what all this information means in the big picture scale of things. While these attackers may just be people with too much time on their hands, doing evil because they’ve nothing better to do, the odds are that this is just the start of something bigger. Only time will tell.

In the meantime, start by making your site more secure by updating it and ensuring your password and username are more than the word “admin.”

Related Articles

• I Hate My Web Host
• WordPress Security Prevention, Reactions, and Scares
• Old WordPress Versions Under Attack
• Malware Found in WordPress Theme – Protect Yourself Now
• Is Your WordPress Blog at Risk from the Epsilon Email Theft?
• Security and Protection: Understand the Social in a Crime Network and How to Protect Yourself
• Defying Brute Force Attacks on WordPress Logins
• WordPress Stats and Numbers: Breaking Their Own Records
• What You Most Need to Know About WordPress
• Update WordPress Now: Reuters Hacked
• WordPress Anniversary: WordPress and Evil
• How to Keep WordPress Secure
• Placing Blame Where Blame Deserves to Be Placed | The Blog Herald

---

Subscribe Via Feedburner Subscribe by Email

Copyright Lorelle VanFossen.