WordPress Hack: How to Avoid Becoming Part of the 'Botnet'

If you have a WordPress website then chances are you’ve already heard of the giant botnet brute-force attack that’s been plaguing the internet since Thursday. WordPress has come under attack from around 100,000 different bots using some 90,000 IP addresses as they attempt to gain access to users WordPress sites. 

The bots are targeting their attack to users who kept ‘admin’ as their default username. If this describes you, change your password and username now. The creator of WordPress Matt Mullenweg, commented over on his blog regarding the attack on April 12. “Most other advice isn’t great — supposedly this botnet has over 90,000 IP addresses, so an IP limiting or login throttling plugin isn’t going to be great (they could try from a different IP a second for 24 hours).” 

The attack is persistent attempts to log-in as the 'admin' user.


That means if you’ve only installed a plug-in that limits the amount of times that one IP address can attempt to gain access to your WP account, that’s probably not enough due to the scope of the attack. If you look at the picture above, you can see that IP limiting plug-ins do successfully lock out the bots. The attack was identified by large hosting servers like CloudFlare and HostGator who noticed it on April 11. The attack has slowed down WP servers and has caused some members to become locked out of their account.

Why would anyone be interested in this kind of attack? 

TechCrunch and Forbes suggest that the ultimate goal of taking over WP accounts is to gain access to the powerful WP servers. The servers WP uses are significantly more powerful than anything a home computer is capable of. This would make future DDoS (distributed denial-of-service) attacks exceptionally more powerful. There are over 64 million websites currently using WP. Once you understand how extensive WP sites are, you begin to understand the significance of this attack. 

What would a “botnet” even be capable of? 

Back in October of 2012 six of the largest US banks underwent a sustained DDoS attack which overwhelmed the banks websites. This is despite the fact that the financial institutions were given the exact date and time the attack would take place. It was a way for those responsible for the attack to say, "There's nothing you can do to prevent this from happening." That attack in October, utilized a toolkit called “itsoknoproblembro” which allows a smaller number of host computers to be used. It creates a two-tier command approach which bombards servers with high-bandwidth attacks simultaneously, which renders even the most sophisticated of networks useless. At the height of the brobot attack, 70 Gbps of data were being transferred. To put that in perspective, most government websites allow for up-to 10 Gbps to be transferred. If my website is being bombarded with that kind of packet flow and my website can only handle 10 Gbps of data, my website is going down. This has the potential to impact financial and governmental institutions as well as presenting obvious problems to network infrastructures.

What can you do to prevent your account from being compromised? 

Change your username to something unique. Change your password, make it strong. 

Install an login-limiting plug-in

Turn on two-step authentication 

Seriously, update your WordPress (in fact, update all of your plug-ins)

 

You can guarantee that these kinds of attacks will continue and they will become more sophisticated. So for the love of everything that is sacred and holy, make sure to update your CMS regularly and change your passwords. 

How much do you trust the information in this article?

Andrea Ayres-Deets

PM Politics Intern- M.A. in Writing from the University of Warwick. Lover of sci-fi, awkward situations, and coffee.

MORE FROM

Jenny Slate’s raw, honest exploration of female sexuality is the most riveting part of ‘Landline’

Gillian Robespierre and Elisabeth Holm's new film lets its women characters express their sexual desires on their own terms.

MTV VMA Nominations 2017: A complete list of nominees for the 34th annual Video Music Awards

The 2017 MTV VMAs are going for woke with a new best fight the system category.

‘The Defenders’ doesn’t have patience for Iron Fist’s privilege either — and that’s great

The show acknowledges Iron Fist's shortcomings, and that stops him from ruining this series, too.

Know who’s really winning ‘Game of Thrones’ this season? The show’s editing team

Props to Crispin Green and Tim Porter for episodes one and two, respectively. Y'all are some gross monsters.

TJ Miller’s explanation of the “feminist agenda” in ‘The Emoji Movie’ proves the bar is too low

How feminist can a movie with no female writers really be?

On Lana Del Rey’s lust for social consciousness

For her latest studio full-length, LDR proves there's more to her than the flower-crown aesthetic.

Jenny Slate’s raw, honest exploration of female sexuality is the most riveting part of ‘Landline’

Gillian Robespierre and Elisabeth Holm's new film lets its women characters express their sexual desires on their own terms.

MTV VMA Nominations 2017: A complete list of nominees for the 34th annual Video Music Awards

The 2017 MTV VMAs are going for woke with a new best fight the system category.

‘The Defenders’ doesn’t have patience for Iron Fist’s privilege either — and that’s great

The show acknowledges Iron Fist's shortcomings, and that stops him from ruining this series, too.

Know who’s really winning ‘Game of Thrones’ this season? The show’s editing team

Props to Crispin Green and Tim Porter for episodes one and two, respectively. Y'all are some gross monsters.

TJ Miller’s explanation of the “feminist agenda” in ‘The Emoji Movie’ proves the bar is too low

How feminist can a movie with no female writers really be?

On Lana Del Rey’s lust for social consciousness

For her latest studio full-length, LDR proves there's more to her than the flower-crown aesthetic.