April 12, 2013

Security experts are warning that an escalating series of online attacks designed to break into poorly-secured WordPress blogs is fueling the growth of an unusually powerful botnet currently made up of more than 90,000 Web servers.

Source: Cloudflare.com

Source: Cloudflare.com

Over the past week, analysts from a variety of security and networking firms have tracked an alarming uptick in so-called “brute force” password-guessing attacks against Web sites powered by WordPress, perhaps the most popular content management system in use today (this blog also runs WordPress).

According to Web site security firm Incapsula, those responsible for this crime campaign are scanning the Internet for WordPress installations, and then attempting to log in to the administrative console at these sites using a custom list of approximately 1,000 of the most commonly-used username and password combinations.

Incapsula co-founder Marc Gaffan told KrebsOnSecurity that infected sites will be seeded with a backdoor the lets the attackers control the site remotely (the backdoors persist regardless of whether the legitimate site owner subsequently changes his password). The infected sites then are conscripted into the attacking server botnet, and forced to launch password-guessing attacks against other sites running WordPress.

Gaffan said the traffic being generated by all this activity is wreaking havoc for some Web hosting firms.

“It’s hurting the service providers the most, not just with incoming traffic,” Gaffan said. “But as soon as those servers get hacked, they are now bombarding other servers with attack traffic. We’re talking about Web servers, not home PCs. PCs maybe connected to the Internet with a 10 megabit or 20 megabit line, but the best hosting providers have essentially unlimited Internet bandwidth. We think they’re building an army of zombies, big servers to bombard other targets for a bigger cause down the road.”

Indeed, this was the message driven home Thursday in a blog post from Houston, Texas based HostGator, one of the largest hosting providers in the United States. The company’s data suggests that the botnet of infected WordPress installations now includes more than 90,000 compromised sites.

“As I type these words, there is an on-going and highly-distributed, global attack on WordPress installations across virtually every web host in existence,” wrote HostGator’s Sean Valant.  “This attack is well organized and again very, very distributed; we have seen over 90,000 IP addresses involved in this attack.”

That assessment was echoed in a blog post Thursday by CloudFlare, content delivery network based in San Francisco. Cloudflare CEO Matthew Prince said the tactics employed in this attack are similar to those used by criminals to build the so-called itsoknoproblembro/Brobot botnet which, in the Fall of 2012, was responsible for a series of rather large cyber attacks against the largest US financial institutions.

“One of the concerns of an attack like this is that the attacker is using a relatively weak botnet of home PCs in order to build a much larger botnet of beefy servers in preparation for a future attack,” Prince wrote. “These larger machines can cause much more damage in DDoS attacks because the servers have large network connections and are capable of generating significant amounts of traffic.”

HostGator’s Valant urged WordPress administrators to change their passwords to something that meets the security requirements specified on the WordPress website.  These requirements are fairly typical of a secure password: upper and lowercase letters, at least eight characters long, and including “special” characters (^%$#&@*). For more on picking strong passwords, see this tutorial. Users can also restrict access to wp-admin so that it is only reachable from specific IP addresses.

Also, WordPress users can take advantage of a third-party plugin from Duo Security, which enables secure logins using one-time codes pushed via text message or an associated mobile app.

Matthew Mullenweg, the founding developer of WordPress, suggests site administrators chose a username that is something other than “admin”. In addition, he urged WordPress.com-hosted blogs to turn on two-factor authentication, and to verify that the site is running the latest version of WordPress. “Do this and you’ll be ahead of 99% of sites out there and probably never have a problem,” Mullenweg wrote.

Daniel Cid, chief technology officer of Sucuri Security, a company that helps site owners prevent and recover from security breaches, said his team isn’t seeing infected sites being used to attack others; according to Cid, most of the password brute-forcing is being conducted by desktop systems under the attackers’ control.

“We saw a big increase in the number of brute force attacks (almost tripled) since previous month’s average,” Cid wrote in an instant message interview. “However, at least from our data, they are not re-using the compromised sites to build a botnet to scan others. I assume that is speculation. On the sites we looked [at] that were hacked, the attackers injected backdoors and malware on them,” including the Blackhole Exploit Kit. Cid also shared a copy of the username/password list that the attackers have been using for the brute-forcing.

“The brute force attacks do not seem to be coming from servers, but from desktops,” Cid said. “However, this is still very early, since they are injecting backdoors (a variation of the Filesman backdoor) they can later use the sites to inject malware or even create a botnet and brute force other sites.”

According to Sucuri, WordPress administrators who have been hacked should strongly consider taking the following steps to evict the intruders and infections:

– Log in to the administrative panel and remove any unfamiliar admin users.

– Change all passwords for all admin users (and make sure all legitimate accounts are protected with strong passwords this time).

Update the secret keys inside WordPress (otherwise any rogue admin user can remain logged in).

– Reinstall WordPress from scratch or revert to a known, safe backup.

Update, 3:05 p.m. ET: Corrected Gaffan’s title.

Update, 6:29 p.m. ET: Added quotes and tips from Sucuri Security.

Update, Apr. 13, 2013, 12:14 p.m. ET: Added comments from Mullenweg.

68 thoughts on “Brute Force Attacks Build WordPress Botnet

  1. David

    I’ve had good experience using Wordfence and implementing things like Country blocking. I have not seen any noticeable uptick in attacks over the past few weeks. I also rename my admin accounts during the post install configuration using my hardening cheat sheet, and use a password manager to create 30+ char impossible to remember passwords. I also self host all of my WordPress instances on multiple vps servers spread around the country, which may be keeping me under the radar. So far so good.
    Beware of stale security plugins.
    Just another note on WordPress security plugins – before I settled on Wordfence I did a survey of all I could find referencing lots of WordPress security type blogs and articles. What I found was that many of the popular plugins cited were outdated by several versions and not supported under the current version of WordPress. So before you break your site by installing a stale, poorly supported plugin, be sure to read the compatibility information on the plugin page, and always test it on a non production server first. Key WordPress compatibility information on a plugin page:
    “Requires: 3.3.1 or higher
    Compatible up to: 3.5.1
    Last Updated: 2013-3-21” (shows under active development)
    This topic could go on and on, but hopefully a lesson learned for many who have decided to use WordPress.

  2. Dru Mundorff

    I have already figured this method out 100% and know of it. I actually gave a speech on this and tried to explain and to be able to give a complete fix to prevent this.
    People think this is a ddos method they getting from regular botnet. Is a common mistake.

    ceo [at] lilyjade-v2.com

  3. Sofiya

    Seconding the sentiment of Jim Walker. The work Sucuri is doing to support the WordPress community is hugely appreciated.

  4. Shaun Merrigan

    Hi Brian,

    Just thought to mention that there is now a Google Authenticator Plugin for WordPress. You can enable (or disable) it per user (admin, editor, etc). This, together with strong password and a strong user name will go a long way to securing the back end.

    Also make sure that Wordfence (or equivalent) is set up to lock out unauthorized logins.

    Thanks for all your good work. I particularly enjoyed your dialogue with Leo and Steve.


    Shaun Merrigan

    1. Dan

      It might be of interest that we have recently published another plugin for strong authentication. It prefers usability to security so you can either login with a password or with one-time code.

      If you’re on a secure network, you may want to use just your password but open your smart phone when connected through an insecure WiFi (cafe, train, …).

      We tested it with a few smart phone apps: Google Authenticator, Pledge, DS3 OATH, AWToken so you don’t have to rely on Google completely.

      Try to search for S-CRIB OTP Authenticator in the list of WordPress plugins or directly http://wordpress.org/extend/plugins/s-crib-otp-authentication/ .

  5. Paul

    The main issue I see is that WordPress will always tell you whether your username is correct. So its easy for a botnet to detect whether the user is using admin as their main administrator account.

    The best plugin I’ve seen for simple hardening is securescanpro – as it hardens your site with a few clicks and provides captchas to bots.


  6. Jatin

    Added a code to wp-login.php

    To see ur own IP address, visit cmyip . com
    Using code below, for example my ip is, , so in place of xxx in below code, put 1.

    $iptoblock = explode(“.”,$_SERVER[‘REMOTE_ADDR’]);

    This above code will only allow logins from your ISP company. Just a simple code for instant blocking access from any other country or isp that yours.

  7. Christine

    I was not aware of what the term brute force attack means but now thing are a lot clearer. Having a efficient firewall and other type of security plug-ins and programs definitely help. Furthermore, I have always believed the password should be a little bit more complicated so it woudl be harder to crack . That is common sense. You should not use a simple password. Never. Cheers and thanks for sharing this with us.

  8. Jacob

    I don’t understand the mentality of people who do these things. Never have and frankly, I don’t want to.

    I really appreciate the plugin suggestions in addition to the limit logins. I would like to have security that runs in the background and only needs some occasionally monitoring. I know its important, I just don’t want to spend all my online time defending instead of creating.

  9. Adi

    My WP based site was one of the hacked sites a couple of weeks ago. Though I never use common username & password, they still managed to hack my site.

    I’ve asked my hosting company to reinstall WP from scratch, but it doesn’t work. In fact now it’s been the 3rd time within 2 weeks that I still can’t work on my WP. Now I can’t even login to wp-admin, either by asking password or through phpMyAdmin (cpanel).

    I have no idea how to remove this ‘back door’ seeded into my (root directory, may be?) or my website.

    I consider just dump this troubled site & buy a new one. But what if the new one is also attacked?

  10. Frank Steiner

    It’s more vital than in the past to protect WordPress websites, otherwise there’s the chance that they may possibly be turned into used for criminal activities.

    I already had safety measures set up to prevent brute force penetration but after seeing well over 10K tries to login into my blog in recent days I decided that regardless of whether they failed it wouldn’t hurt having even tighter security.

  11. Kewocap

    As someone who is looking to go into this field I found it interesting that brute force attacks could cause quite the impact on the target. I wouldn’t have known that it could not only harm the severs, but also increase the attack making it even stronger. I do believe that having more methods of preventing things such as this, like having more complicated passwords would help tremendously as Christine mentioned.

    Thanks for posting this!

Comments are closed.