90,000 Strong Botnet Trying to Break in to WordPress Sites

wordpress-logo-notext-rgbArs TechnicaHuge attack on WordPress sites could spawn never-before-seen super botnet:

Security analysts have detected an ongoing attack that uses a huge number of computers from across the Internet to commandeer servers that run the WordPress blogging application.

The unknown people behind the highly distributed attack are using more than 90,000 IP addresses to brute-force crack administrative credentials of vulnerable WordPress systems, researchers from at least three Web hosting services reported. At least one company warned that the attackers may be in the process of building a “botnet” of infected computers that’s vastly stronger and more destructive than those available today. That’s because the servers have bandwidth connections that are typically tens, hundreds, or even thousands of times faster than botnets made of infected machines in homes and small businesses.

The attacks currently target the “admin” username and 1,000 common passwords. If you’ve got a simple or obvious password, now’s the time to change it.

If your WordPress admin account is admin you need to change that, too, and not just because of this bot network. I monitor failed login attempts, and 99% are using “admin” for the username.

I recommend the Better WP Security WordPress plugin for changing the admin username, monitoring failed logins and excessive 404s, and a whole lot more:

  • Change the database prefix from the default of “wp_”.
  • Disable admin logins during times when you never login.
  • Hide WordPress information in source code and files such as readme.html. That makes it less likely that Google searches and script tools can discover WordPress installations or WordPress versions with specific vulnerabilities.
  • Monitor file changes. I exclude directories that are supposed to have frequent file changes, like cache and backup directories:
    • wp-content/backup-db
    • wp-content/cache
    • wp-content/updraft
  • Temporarily or permanently ban access from IP addresses with excessive failed logins or 404s. Be careful with this setting. A search engine might hit the 404 limit when trying to access old URLs.
  • Optionally enable SSL for logins, admin area, or even the front end.

Backup WordPress First

Before making the security changes, backup your WordPress install. You should be doing automated backups anyway in case of successful hacks, server problems, or human error. Better WP Security has a backup feature, but I’ve tried it on two separate WordPress installations and couldn’t get the scheduled backup feature to work.

Instead I’m using the UpdraftPlus WordPress plugin for backups. It can backup the database and files separately. You should backup the database more often than the files. The database changes every time you create or modify a page or blog post, or receive a comment. The database is relatively tiny – even with thousands of blog posts and comments mine is only 437 MB – so backing it up doesn’t take much processor time or disk space.

Updraft Plus can email you the files, FTP or SSH them to another server, or upload them to cloud storage. Amazon S3, Dropbox, and Google Drive cloud storage are currently supported. You can choose to receive an email report every time the backup runs.

4 Responses to 90,000 Strong Botnet Trying to Break in to WordPress Sites

  1. Alesa says:

    Thanks for posting this, Les. My employer just stood up a WordPress blog. Sigh.

  2. Bill says:

    Sadly, Better WP Security conflicted with something in my WordPress instance and killed the site. I had to hack it out via FTP and some unfriendly manual file manipulation. So definitely backup first! It did work on other sites I have, just not my main one. Still, I like your suggestions. Removing the admin user is pretty easy. Setup a new user, make it admin, then login with that user and either delete admin or drop its application rights from admin to guest or something.

  3. Mike S says:

    I wanted to say Thanks Again — after you first posted about WP Security I installed it on all my sites and have seen countless hack attempts get blocked out. I pity the fools that use dictionary words as admin passwords.

  4. Thank you very much for the info.

    I would, as you have suggested, definitely recommend the WP Better Security. I have found it does take a bit of getting used to and you do need to take care with the some of settings. For example, I recently got rid of ‘backends’ on one of my websites and then found I could not log on! I have got that sorted now, thank goodness. I did feel a bit daft at the time though.

    WP Better Security is, nonetheless, extremely helpful. It identifies all of your vulnerabilities, how a high a priority they are and shows you what you need to do to deal with them.

    WP Better Security is also a real eyeopener. On one of my websites there is an on-going attack (every day 100+ attempted log ons). I am so relieved that I had changed the username from ‘admin’. Otherwise I would likely have been hacked by now.

    When I mentioned the above ‘hacking efforts’ to a friend he looked at me disbelievingly and I think he thought that I was just being paranoid and slightly mad. He went on to say that he thought no one would be interested in hacking any of my websites because they were only small operations. This is a totally false belief – and I told him so. He now thinks that I am most certainly mad!

    Take no notice of the sceptics, big or small, you do have to take website security very seriously and do everything you can to secure your site(s).

    If you haven’t done anything about it yet, do it today. It could save you an awful lot of grief.

    Thank you again for raising this issue and explaining what is happening so well.