If you have a WordPress website then chances are you’ve already heard of the giant botnet brute-force attack that’s been plaguing the internet since Thursday. WordPress has come under attack from around 100,000 different bots using some 90,000 IP addresses as they attempt to gain access to users WordPress sites.
The bots are targeting their attack to users who kept ‘admin’ as their default username. If this describes you, change your password and username now. The creator of WordPress Matt Mullenweg, commented over on his blog regarding the attack on April 12. “Most other advice isn’t great — supposedly this botnet has over 90,000 IP addresses, so an IP limiting or login throttling plugin isn’t going to be great (they could try from a different IP a second for 24 hours).”
The attack is persistent attempts to log-in as the 'admin' user.
That means if you’ve only installed a plug-in that limits the amount of times that one IP address can attempt to gain access to your WP account, that’s probably not enough due to the scope of the attack. If you look at the picture above, you can see that IP limiting plug-ins do successfully lock out the bots. The attack was identified by large hosting servers like CloudFlare and HostGator who noticed it on April 11. The attack has slowed down WP servers and has caused some members to become locked out of their account.
Why would anyone be interested in this kind of attack?
TechCrunch and Forbes suggest that the ultimate goal of taking over WP accounts is to gain access to the powerful WP servers. The servers WP uses are significantly more powerful than anything a home computer is capable of. This would make future DDoS (distributed denial-of-service) attacks exceptionally more powerful. There are over 64 million websites currently using WP. Once you understand how extensive WP sites are, you begin to understand the significance of this attack.
What would a “botnet” even be capable of?
Back in October of 2012 six of the largest US banks underwent a sustained DDoS attack which overwhelmed the banks websites. This is despite the fact that the financial institutions were given the exact date and time the attack would take place. It was a way for those responsible for the attack to say, "There's nothing you can do to prevent this from happening." That attack in October, utilized a toolkit called “itsoknoproblembro” which allows a smaller number of host computers to be used. It creates a two-tier command approach which bombards servers with high-bandwidth attacks simultaneously, which renders even the most sophisticated of networks useless. At the height of the brobot attack, 70 Gbps of data were being transferred. To put that in perspective, most government websites allow for up-to 10 Gbps to be transferred. If my website is being bombarded with that kind of packet flow and my website can only handle 10 Gbps of data, my website is going down. This has the potential to impact financial and governmental institutions as well as presenting obvious problems to network infrastructures.
What can you do to prevent your account from being compromised?
- Change your username to something unique. Change your password, make it strong.
- Install an login-limiting plug-in
- Turn on two-step authentication
- Seriously, update your WordPress (in fact, update all of your plug-ins)
You can guarantee that these kinds of attacks will continue and they will become more sophisticated. So for the love of everything that is sacred and holy, make sure to update your CMS regularly and change your passwords.