WordPress sites have been under an escalated botnet-based brute force attack since late last week. Though brute force attacks are quite common with most popular CMS’s; using the admin default user name with a weak password will get your site hacked. It is obviously not a matter of if (you will get hacked), it is a matter of when (you will get hacked) – if you continue to use the default admin account combined with a weak password.
Using the admin default user name with a weak password will get your site hacked
Matt Mullenweb recommends:
If you still use “admin” as a username on your blog, change it, use a strong password, if you’re on WP.com turn on two-factor authentication, and of course make sure you’re up-to-date on the latest version of WordPress. Do this and you’ll be ahead of 99% of sites out there and probably never have a problem.
Brian Krebs wrote a highly-detailed report of how these brute force attacks are going down
Internet security journalist Brian Krebs wrote a highly-detailed report of how these brute force attacks are going down, over at KrebsOnSecurity.
Over the past week, analysts from a variety of security and networking firms have tracked an alarming uptick in so-called “brute force” password-guessing attacks against Web sites powered by WordPress, perhaps the most popular content management system in use today (this blog also runs WordPress).
WordPress Ongoing Brute Force Attacks
The motive behind the current attack is purely speculative and unknown.
TechCrunch states that this attack is similar to a 2012 WordPress attack that was scripted to look for outdated versions of Tim Thumb. I do not see the similarity between Tim Thumb and the current brute force attack. Perhaps TechCrunch was using a metaphor for the Tim Thumb attack since it was well organized and well distributed. Or, perhaps they meant that this attack is gearing up for something far more sinister in the near future (injecting back doors).
Main culprits that I have observed at my blogs
18.104.22.168 hostname: 184-82-29-169.superslickydeals.com [letmein; passw0rd; welcome; test; secret; 123123; pass; 123456; qwerty; password; internet; hello; 111111; ninja]
22.214.171.124 hostname: 126.96.36.199.dynamic.ttnet.com.tr [admin; admin123; 12345; 123456; 123456789;]
188.8.131.52 hostname: 184.108.40.206.triolan.net [admin; admin123; password; 123456; 12345678]
220.127.116.11 hostname: N/A Turkey. [admin; admin123]
18.104.22.168 hostname: N/A Russian Federation [ongoing brute force attacks since December 2012 – range = 22.214.171.124 – 126.96.36.199]
At the time of this writing, the motive behind the current attack is purely speculative and unknown. If you run a self-hosted WordPress site, following many of these recommendations will harden your installation against known attacks.
Update: 4/15/2013 – US-CERT jumps on the bandwagon and issues a warning. Better late than never, I guess…