A massive series of brute force attacks on WordPress sites began early Saturday and is still ongoing. The attacks are part of a massive botnet (a network of infected computers) that is trying to crack administrative accounts in order to plant a virus that gives attackers complete control of a site, even if the password is changed. Massive botnets are a pain, because they are not easy to tackle. The botnet has enough power to test up to 2 billion passwords per hour. CloudFlare, a content delivery network, blocked about 60 million requests to its customers’ sites running WordPress. In this case it is vital to have safe WordPress themes that don’t contain virus, like the ones at Template Monster.
The coordinated attack is using over 100,000 different IP addresses, making it extremely difficult to block repeated requests from one single IP. This means the most basic security layer is rendered useless by this type of attack. Using so many different IP addresses also makes it extremely difficult to track down the origin of the attack.
It is recommended that WordPress users update their passwords with stronger ones containing letters, numbers, symbols, and longer length. There are also extensions that WordPress users can install to enable two-step verification, meaning users will have to enter a randomly generated code to access their account.
Matt Mullenweg, the creator of WordPress has released a statement telling users to create a custom administrator name instead of leaving it the default “admin.” He also recommends users creating stronger passwords and enabling two-factor authentication on WordPress.com sites. Of course, WordPress users should upgrade to the latest version to ensure they get the most up to date security patches.
While there’s no obvious motivations behind the attacks, Matthew Prince, the CEO of CloudFlare, speculates that the attackers could be trying to add web servers to its massive botnet. Web servers are typically much more powerful than consumer computers, making them a potent tool for leveraging large distributed denial of service attacks, which has the potential to take down websites by flooding servers with fake visitor requests. Learn more about DDoS attacks.
We are sure that this will happen again in the near future, so stay tuned.