The open source WordPress system is the Internet’s most popular content management system (CMS), representing over 50 percent market share. The pervasiveness of WordPress also makes it an attractive target for attackers that have been hammering the system in a brute force attack for the past week.
In a brute force attack, the attacker randomly tries username/password combinations until one works. In the case of the ongoing attack against WordPress sites, the attackers are simply going after sites with the username “admin” and attempting to brute force the password.
Hosting Providers Fight Back
WordPress sites can be hosted on the WordPress.com site as a hosted service or in a self-hosted model via any web host. WordPress has broad adoption with shared hosting providers like GoDaddy and HostGator, among others.
For its part, GoDaddy commented in a support note that brute force attacks against its hosting infrastructure are nothing new. That said, GoDaddy added the current attack is large and very sophisticated. GoDaddy claimed that as of Friday, it had mitigated much of the attack, although customers could still be disrupted.
“Our Security team continues to identify these attacks, down to the IP address, and block anything that looks malicious,” GoDaddy stated. “Additionally, we’ve installed new features on every single one of our thousands of servers to block these bad actors more quickly.”
HostGator reported that it had seen over 90,000 IP addresses involved in the Brute Force attack.
“The symptoms of this attack are a very slow backend on your WordPress site or an inability to log in,” blogged HostGator supervisor Sean Valant. “We are taking several steps to mitigate this attack throughout our server farm, but in the same breath it is true that in cases like this there is only so much that can actually be done.”
Bigger Botnet in Store?
While the specific attacker motives of the current WordPress brute force attack are not known, there is some speculation that the purpose of the attack is to build a big botnet for a future attack.
“One of the concerns of an attack like this is that the attacker is using a relatively weak botnet of home PCs in order to build a much larger botnet of beefy servers in preparation for a future attack,” CloudFlare CEO Matthew Prince blogged. “These larger machines can cause much more damage in DDoS attacks because the servers have large network connections and are capable of generating significant amounts of traffic.”
The CloudFare network was recently hit by what was billed as the largest DDoS attack to ever hit the Internet.
There are a a number of things users can do to help mitigate the risk of the current round of WordPress brute force attacks.
Matt Mullenweg, creator of WordPress, suggests that WordPress administrators start by choosing a user name other than “admin” for the root control of their WordPress installation. Mullenweg also suggests the use of a strong password as detailed in a support note posted on the WordPress.com website.
Users of the WordPress.com hosted service now also have the option for two-factor authentication. WordPress is leveraging the Google Authentication two-factor technology to secure WordPress.com users. With two-factor authentication, a second password that is uniquely generated at specific time intervals is required to log into a site.
“Do this and you’ll be ahead of 99 percent of sites out there and probably never have a problem,” Mullenweg blogged. “Most other advice isn’t great — supposedly this botnet has over 90,000 IP addresses, so an IP limiting or login throttling plugin isn’t going to be great (they could try from a different IP a second for 24 hours).”