WordPress Sites Take Brute Force Battering

A botnet is battering WordPress sites with brute force attacks, but the CMS and blog provider says the issue is being blown out of proportion by security vendors wanting to promote their wares.

Various hosting providers and security companies have warned about the attacks over the last few days,  and it’s believed a botnet of over 90,000 bots is being used to guess passwords to WordPress, and some Joomla, websites.

WordPress is a prime target for hackers, largely because of its popularity. Often WordPress sites are hacked to serve up malicious content, so when people visit they get infected. This could rope them into a botnet and open their systems up for data theft.

WordPress battling brute force

The latest attack has been ongoing for at least a week, with HostGator, a major US hosting company, warning that little could be done to protect customers, especially those with servers running high numbers of WordPress installations.

“We are taking several steps to mitigate this attack throughout our server farm, but in the same breath it is true that in cases like this there is only so much that can actually be done,” it wrote on Thursday.

Melbourne Server Hosting, part of UK cloud computing company iomart Group, warned of the denial of service threat that came with the botnet strikes, noting it could “render your sites slow and in some cases, completely exhaust the resources available to your services causing a system crash”.

TechWeekEurope runs on WordPress and has not seen any slowdown, nor any breach.

Creator of WordPress, Matt Mullenweg, issued a curt response to the warnings, saying much of the fuss was being made by companies who “sell ‘solutions’ to the problem”.

Those companies included CloudFlare, which recently took some flak for allegedly overstating the threat to the global Internet of a 300Gbps DDoS on a single firm. This time it claimed to have patched the Internet in “real-time”, saying its free service would protect sites against these attacks.

Another company, Sucuri, chose to point out the “coincidence” that it had just released a product designed to repel brute force attacks.

“Right now there’s a botnet going around all of the WordPresses it can find trying to login with the “admin” username and a bunch of common passwords,” Mullenweg said.

Mullenweg recommended using stronger passwords, turning on two-factor authentication, and ensuring the latest version of WordPress is being used.

“Do this and you’ll be ahead of 99 percent of sites out there and probably never have a problem. Most other advice isn’t great – supposedly this botnet has over 90,000 IP addresses, so an IP limiting or login throttling plugin isn’t going to be great,” he added.

What do you know about Internet security? Find out with our quiz!

Thomas Brewster

Tom Brewster is TechWeek Europe's Security Correspondent. He has also been named BT Information Security Journalist of the Year in 2012 and 2013.

View Comments

Recent Posts

Craig Wright Sentenced For Contempt Of Court

Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…

2 days ago

El Salvador To Sell Or Discontinue Bitcoin Wallet, After IMF Deal

Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…

2 days ago

UK’s ICO Labels Google ‘Irresponsible’ For Tracking Change

Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…

2 days ago

EU Publishes iOS Interoperability Plans

European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…

3 days ago

Momeni Convicted In Bob Lee Murder

San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…

3 days ago