Cyber attack

WordPress Sites Take Brute Force Battering

WordPress says security firms are hyping tales of attacks

On by Thomas Brewster 4

A botnet is battering WordPress sites with brute force attacks, but the CMS and blog provider says the issue is being blown out of proportion by security vendors wanting to promote their wares.

Various hosting providers and security companies have warned about the attacks over the last few days,  and it’s believed a botnet of over 90,000 bots is being used to guess passwords to WordPress, and some Joomla, websites.

WordPress is a prime target for hackers, largely because of its popularity. Often WordPress sites are hacked to serve up malicious content, so when people visit they get infected. This could rope them into a botnet and open their systems up for data theft.

WordPress battling brute force

The latest attack has been ongoing for at least a week, with HostGator, a major US hosting company, warning that little could be done to protect customers, especially those with servers running high numbers of WordPress installations.Wordpress Landscape

“We are taking several steps to mitigate this attack throughout our server farm, but in the same breath it is true that in cases like this there is only so much that can actually be done,” it wrote on Thursday.

Melbourne Server Hosting, part of UK cloud computing company iomart Group, warned of the denial of service threat that came with the botnet strikes, noting it could “render your sites slow and in some cases, completely exhaust the resources available to your services causing a system crash”.

TechWeekEurope runs on WordPress and has not seen any slowdown, nor any breach.

Creator of WordPress, Matt Mullenweg, issued a curt response to the warnings, saying much of the fuss was being made by companies who “sell ‘solutions’ to the problem”.

Those companies included CloudFlare, which recently took some flak for allegedly overstating the threat to the global Internet of a 300Gbps DDoS on a single firm. This time it claimed to have patched the Internet in “real-time”, saying its free service would protect sites against these attacks.

Another company, Sucuri, chose to point out the “coincidence” that it had just released a product designed to repel brute force attacks.

“Right now there’s a botnet going around all of the WordPresses it can find trying to login with the “admin” username and a bunch of common passwords,” Mullenweg said.

Mullenweg recommended using stronger passwords, turning on two-factor authentication, and ensuring the latest version of WordPress is being used.

“Do this and you’ll be ahead of 99 percent of sites out there and probably never have a problem. Most other advice isn’t great – supposedly this botnet has over 90,000 IP addresses, so an IP limiting or login throttling plugin isn’t going to be great,” he added.

What do you know about Internet security? Find out with our quiz!

Thomas Brewster

Author: Thomas Brewster

Security Correspondent, TechWeekEurope
Thomas Brewster Thomas Brewster Thomas Brewster
Techweekeurope for mobile devices
Android-App Google Currents App for iOS

Last comment




4 replies to WordPress Sites Take Brute Force Battering

  • On April 15, 2013 at 7:39 pm by Jeff Yablon

    Besides writing about this today ( http://answerguy.com/2013/04/15/hacking-wordpress-cms-content-management-security/ ), we happened to do a video on this subject just last week: http://answerguy.com/videopost/you-cant-build-a-web-site-in-one-hour-admin-security/ .

    It’s a real issue, but the truth is that it takes very, VERY little to protect against this kind of thing.

  • On April 26, 2013 at 4:55 am by Frank Steiner

    It’s more vital than in the past to defend WordPress websites, otherwise there’s the chance that they could even be became used for criminal activities.

    I already had safety measures set up to circumvent brute force penetration but after seeing more than 10.000 attempts to logon into my blog in recent days I made a decision that regardless of whether they failed it wouldn’t cause pain having even tighter security. Here are WordPress login security plugins I plan to use.

    As WordPress founder Matt suggests, choosing a strong password and ensuring that you have most up-to-date version of WordPress is an adequate protection. The botnet is essentially guessing passwords, so when you have something which is simply not guessable you’ll be safe.

  • On April 27, 2013 at 1:34 pm by Thomas

    my wordpress site was hacked again and again,so I said enough changed provider setup wordpress again only this time put hard security which is free from wordpress,the chinese have had a visit their ip was given to me as a email warning tracked it back to Beijing but no damage and still working.

  • On August 5, 2013 at 7:11 am by AZ

    “300Gbps DDoS” can be lowered to 60Mbps by using redirecting mechanism in Securitron plugin for WordPress. http://www.b2beservices.com/files/Securitron_v1_0_1.zip

Leave a Reply

  • Required fields are marked *,
    Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>