Over the past couple of weeks we've seen a huge increase in attacks on WordPress websites from automated bot-nets. The "brute-force" attack is on-going and many hosting providers are having to put measures in place to mitigate any potential breaches.
What is a brute-force attack?
A brute-force attack is simply a method of repeatedly trying to guess username and password combinations.
You may think that this is a fruitless attempt, but it’s really not.
People are lazy when it comes to passwords.
I’ve worked professionally in IT for over 20 years now and I can tell you that some CIOs of companies I’ve worked with have had “password” as their password to their Windows account.
I remember having a conversation with one very senior board member of a multi-national financial services company, about his unforgivable poor choice of password.
He told me I was out of place for commenting on such matters, after all he was a board member and I was a low-level tech guy.
I suspended his account under the same policy we would use for any other employees not taking security seriously and jeopardising a security breach.
Needless to say it caused a bit of a stink and cages were rattled but thankfully a company-wide security review was the final result. Happy days.
If you’ve had a chuckle about that, stop and have a think through all the passwords you use on the Internet.
How secure are they and when was the last time you changed them?
What are bot-nets?
Bot-nets are vast numbers of computers that have been compromised (hacked and taken control of) and that are used to coordinate huge attacks on other systems.
The current estimates for the bot-net size being used in this current WordPress attack is 90,000.
Combine 90,000 computers trying to guess hundreds of password combination every minute and you can see why we need to take this attack seriously.
Many computers users still don’t have any sort of firewall software installed and it is primarily these computers that are the victims of hackers looking to add them to their bot-net.
The type of software used to gain control of computers is very sophisticated and most of the time users will be completely unaware that their computer has been compromised and is being used in such a way.
A good firewall that is kept up-to-date must be your first defence against the bot-net hackers.
Why are WordPress websites being targeted?
It’s not only WordPress websites under attack. Joomla! sites have also reported an increase in attempted breaches.
WordPress powers over 17% of all websites in the interwebs and Joomla! over 3%.
Each WordPress and Joomla! website has a specific login URL so that’s a known entry point for the hackers to start their attack.
Also, prior to WordPress 3.x (and Joomla! 2.x) the systems used a default username in their set up scripts.
For WordPress this was Admin and for Joomla! Administrator.
It’s no surprise that these are the top username choices that the brute-force attack is using – according to the report by security firm securi.
Who is doing this and why?
None of the infamous hacking groups have put their hand up as being responsible for the WordPress website attacks as yet.
At this moment we simply do not know who is coordinating the attacks nor why.
Due to the method being used and the sheer number of websites being targeting it is unlikely that the hackers are after any information on a particular website.
It’s more likely that they are after the hosting space so that they can insert hidden micro-sites and malware for use in their nefarious schemes.
What can I do to secure my WordPress website against these attacks?
The best two things you can do to protect your WordPress website from being compromised by this current attack are:
- Make sure none of your usernames are Admin, Administrator, Test or Root
- Make sure you have a large, complex, unreadable password made up of upper and lower case letters, numbers and punctuation.
We recommend installing a firewall plugin such as WordFence.
WordFence comes with login limiter settings that lock out IP addresses that generate login failures after X number of attempts.
OSE Firewall doesn’t have this feature but you can install the Limit Login Attempts Reloaded plugin to provide the same functionality.
There are of course lots of other ways you can secure your WordPress website against hacking and we’ll cover that in a future post.
If you are an unfortunate victim of the current attack and have had your website compromised, we offer a hacked WordPress website restoration service to get your site back up and secure.