Botnet Attacks Seen on WordPress Sites – “admin” Login Targetted
There is a lot of buzz on the Internet this week about WordPress-based websites coming under attack. Leading tech sites, news feeds and other respectable sources are reporting on what is by far the largest onslaught on blogs and websites using the WordPress platform.
Websites Using WordPress Are Under Attack
In fact, as early as on April 11th, web hosting provider Hostgator sounded the alarm on their Gator Crossing blog about seeing a massive and highly-distributed global attack on WordPress installations.
Their “Global WordPress Brute Force Flood” blog post mentioned that the attack had actually begun a week earlier, died off slightly, but is now seen picking up steam. And no one knows when it’ll end, a view echoed by many like Zack Whittaker on ZDNet and Cloudflare’s CEO, Matthew Prince (as reported by the BBC).
Something to the tune of 90,000 IP addresses are being used by hackers in a well-organized attempt to break into poorly-protected websites installed on virtually every web host you can name. Tell-tale signs include inability to log in, slowness in website response and even intermittent down time.
As the BBC said in their report, WordPress powers about 17% of the world’s websites according to W3Techs, a survey website. That’s one in every 6 sites, by no means a small measure. Add to that the 64 million sites hosted at wordpress.com and you can see why hackers could have a field day trying to crack them.
WordPress is a free and open source platform based on PHP and MySQL. Like most software that continues to evolve, there can be vulnerabilities inadvertently left in due to programming bugs and such. Most times, these will be found and fixed by upgrading to the latest WordPress version. (As of this writing, Version 3.5.1 is the most current.)
Why Does It Concern Us?
Such a practice of fixing software already deployed in the market is not new in the industry. Many of us using the Windows OS would have experienced the need to frequently keep up with the latest, especially when security loopholes are being plugged. There is an urgency to act in such cases, and it’s no different for WordPress upgrades.
Generally, users discover those bugs and loopholes in software. But the latter is often exploited by hackers, who are users themselves. Except that they prefer to tell the world what they found in a different way, usually more alarming. Sometimes, they don’t even tell at all, which can only make matters worse.
US-CERT Is Aware of Botnet Attack
Cyber attacks are a big concern for everyone online, including the US Computer Emergency Readiness Team. US-CERT is fully aware of this on-going campaign against WordPress sites and its intensity. In their report, they highlighted that Cloudfare had to block 60 million requests to customers’ sites, all within an hour.
These unsolicited requests were coming from a botnet – a network of compromised sites and online computers — supported by those 90k IP addresses. And the botnet was performing what is known as a brute-force attack, possibly with the intent to seek out more sites to add to the network.
Botnets are capable of disrupting Internet service by executing a distributed denial of service (DDoS) attack. A mere flooding of online traffic coming from a large network of diverse installations can send servers and computers into a tailspin and pull everything online to a screeching halt.
The implications on operations which depend on online connectivity and access — security, transportation, financial markets, businesses, etc. — is profound. As such, the current WordPress attack cannot be dismissed as trivial.
“admin” Log-in Brute Force Hack
In this particular WordPress attack, hackers are exploiting a basic weakness which arises from users being overly casual about their website log-in credentials. More often than not, users keep and use the default “admin” user name when setting up a new WordPress installation. This means hackers already have an easy way in.
With half the authentication puzzle solved, hackers can focus on guessing passwords. Again, a lot of people are lazy with security and opt for easy-to-remember passwords like names, birthdays, various simple permutations, etc. Few would venture into cryptic strings like “D#&71a@ppQ3” for example, which involves not only numbers but symbols too.
And that’s what the hackers are probably doing this round: looking for easy-to-crack WordPress sites that are lax in security. With their botnet, they could discover many vulnerable websites to infiltrate and exploit. No one knows what they’ll do with them though, and this is what makes it particularly worrisome.
Are Your Websites Vulnerable?
Do you have self-hosted WordPress websites and blogs? Are you still using the default username of “admin”? What about your passwords — are they of the easy-to-recall types?
As an Internet Marketer, you ought not be taking such risks. If your websites get compromised, your online business will definitely be severely affected. And there’s no telling how deep the damage can be to both your sites and customers’ trust. Will you be able to recover from such a setback?
Prevention Is Better Than Cure
Unfortunately, hackers can’t be stopped completely. The nature of how software is developed and deployed inadvertently creates opportunities for the clever but sly to utilize it for their own gains. At the best, all we can do is to protect our online properties with the most secure lock and key available.
Prevention is definitely better than cure in this case. No one wants to have to clean up a compromised website and try to restore it back to its former glory — even a paid webmaster would dread this. More importantly, you can’t afford your online business to go down and choke your income stream.
It’s You or Someone Else, Unfortunately
While there are no guarantees that your beefed-up websites won’t become targets, at least you’d have raised the level of difficulty enough to deter many hackers. Die-hards may persist longer but the lure of so many unprotected sites out there would distract them mostly.
Sadly, this could mean that your competitors may become easier targets as attackers go elsewhere looking for weaker locks to break. By no means should you rest on your laurels. Always be vigilant, stay updated and safeguard your web properties like you would your prized possessions.
Remember, this is like a cat and mouse game that goes on and on. It is unlikely to stop any time soon.
Get Your Security Act Together Now
Now is the time to beef up your website’s security. How should you go about validating your site? There are bits and pieces of advice online that may be helpful; just do a search and select according to your comfort level.
At the very least, follow this checklist to get started…
- Back up your website and keep copies in different mediums and locations. Make it a habit to do this periodically.
- Scan your site for Malware and other vulnerabilities, with this free Sucuri SiteCheck tool.
- Change your username if you are still using “admin”.
- Make your password more robust — include symbols, numbers and mix-cased letters. Change it at regular intervals.
- Upgrade to the latest WordPress version asap; but first heed compatibility warnings from your theme and plugins providers.
- Use the latest theme and plugins. If you find any plugin has not been updated in a long while, considering using an alternative that is more current.
- Monitor your website for attacks and online performance.
If all these overwhelm you, get technical help instead of making a mess of your site. Contact us for a free evaluation of how secure your website is and which areas need strengthening. Our report card will show you how your site fares and steps you can actively take to stay ahead.
Click hereto contact www.intemarketin.com for your website security eval.