A botnet is battering WordPress sites with brute force attacks, but the CMS and blog provider says the issue is being blown out of proportion by security vendors wanting to promote their wares.
Various hosting providers and security companies have warned about the attacks over the last few days, and it’s believed a botnet of over 90,000 bots is being used to guess passwords to WordPress, and some Joomla, websites.
WordPress is a prime target for hackers, largely because of its popularity. Often WordPress sites are hacked to serve up malicious content, so when people visit they get infected. This could rope them into a botnet and open their systems up for data theft.
The latest attack has been ongoing for at least a week, with HostGator, a major US hosting company, warning that little could be done to protect customers, especially those with servers running high numbers of WordPress installations.
“We are taking several steps to mitigate this attack throughout our server farm, but in the same breath it is true that in cases like this there is only so much that can actually be done,” it wrote on Thursday.
Melbourne Server Hosting, part of UK cloud computing company iomart Group, warned of the denial of service threat that came with the botnet strikes, noting it could “render your sites slow and in some cases, completely exhaust the resources available to your services causing a system crash”.
TechWeekEurope runs on WordPress and has not seen any slowdown, nor any breach.
Creator of WordPress, Matt Mullenweg, issued a curt response to the warnings, saying much of the fuss was being made by companies who “sell ‘solutions’ to the problem”.
Those companies included CloudFlare, which recently took some flak for allegedly overstating the threat to the global Internet of a 300Gbps DDoS on a single firm. This time it claimed to have patched the Internet in “real-time”, saying its free service would protect sites against these attacks.
Another company, Sucuri, chose to point out the “coincidence” that it had just released a product designed to repel brute force attacks.
“Right now there’s a botnet going around all of the WordPresses it can find trying to login with the “admin” username and a bunch of common passwords,” Mullenweg said.
Mullenweg recommended using stronger passwords, turning on two-factor authentication, and ensuring the latest version of WordPress is being used.
“Do this and you’ll be ahead of 99 percent of sites out there and probably never have a problem. Most other advice isn’t great – supposedly this botnet has over 90,000 IP addresses, so an IP limiting or login throttling plugin isn’t going to be great,” he added.
What do you know about Internet security? Find out with our quiz!
Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…
Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…
Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…
Welcome to Silicon In Focus Podcast: Tech in 2025! Join Steven Webb, UK Chief Technology…
European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…
San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…
View Comments
Besides writing about this today ( http://answerguy.com/2013/04/15/hacking-wordpress-cms-content-management-security/ ), we happened to do a video on this subject just last week: http://answerguy.com/videopost/you-cant-build-a-web-site-in-one-hour-admin-security/ .
It's a real issue, but the truth is that it takes very, VERY little to protect against this kind of thing.
It’s more vital than in the past to defend WordPress websites, otherwise there’s the chance that they could even be became used for criminal activities.
I already had safety measures set up to circumvent brute force penetration but after seeing more than 10.000 attempts to logon into my blog in recent days I made a decision that regardless of whether they failed it wouldn’t cause pain having even tighter security. Here are WordPress login security plugins I plan to use.
As WordPress founder Matt suggests, choosing a strong password and ensuring that you have most up-to-date version of WordPress is an adequate protection. The botnet is essentially guessing passwords, so when you have something which is simply not guessable you'll be safe.
my wordpress site was hacked again and again,so I said enough changed provider setup wordpress again only this time put hard security which is free from wordpress,the chinese have had a visit their ip was given to me as a email warning tracked it back to Beijing but no damage and still working.
"300Gbps DDoS" can be lowered to 60Mbps by using redirecting mechanism in Securitron plugin for Wordpress. http://www.b2beservices.com/files/Securitron_v1_0_1.zip