WordPress sites targeted by mass brute-force attack

US-CERT has issued an alert regarding the ongoing massive brute-force attacks against WordPress sites, warning users and administrators to keep their installation always updated and to change the username and password for their WordPress accounts – especially if they kept the default “admin” username and use an easy-to-guess, commonly-used password.

The attacks started the week before last, but picked up in full force late last week, and the attackers are simply scanning the Web for WordPress installations, then trying out some 1,000 often-used combinations of login credentials.

“One of the concerns of an attack like this is that the attacker is using a relatively weak botnet of home PCs in order to build a much larger botnet of beefy servers in preparation for a future attack,” pointed out CloudFlare CEO Matthew Prince. “These larger machines can cause much more damage in DDoS attacks because the servers have large network connections and are capable of generating significant amounts of traffic. This is a similar tactic that was used to build the so-called itsoknoproblembro/Brobot botnet which, in the Fall of 2012, was behind the large attacks on US financial institutions.”

According to the US-CERT alert, CloudFlare has had to block 60 million requests against its WordPress customers within one hour elapse time. “The online requests reprise the WordPress scenario targeting administrative accounts from a botnet supported by more than 90,000 separate IP addresses,” they noted.

The general consensus is that the attack has been mounted to create a “super-botnet”, and currently the most likely scenario is that it will be used to execute massive DDoS attacks. If that’s true, not only are web hosting firms hurting now under the strain of the massive number of requests directed at potential targets, but will also be seriously affected when these zombie computers start attacking other targets.

“All hosting providers offering WordPress for web content management are potentially targets,” warns US-CERT. HostGator is warning users that their site could intermittently go down for short periods, or they could not be able to login due to the strain the attacks are putting on their network.

WordPress founder Matt Mullenweg’s advice to users is to change their username to something other than “admin”, to change their password to a stronger one, and to turn on the recently implemented two-factor authentication if they us a WordPress.com account.

“Common usernames and weak passwords are extremely risky online, however, the dangers are compounded if users re-use the same login credentials for other sites. Once the bad guys have cracked a username and password, it’s extremely common that they’ll attempt to use the same combination for additional sites in the attempt to fraudulently use accounts, or access information such as credit card details or corporate data,” Matt Middleton-Leal, UK & Ireland regional director at Cyber-Ark commented the situation for Help Net Security.