Large botnet attacks WordPress installations worldwide
Hosting companies worldwide are reporting an increase in brute force attacks on the administration interfaces of WordPress installations. In a blog post, HostGator says its customers have registered attacks from over 90,000 IP addresses and content delivery network CloudFlare has also noted increased brute force activity targeting WordPress installations. Security company Sucuri has says it has seen an increase of brute force attacks since the beginning of the month.
According to these observations, the botnet is trying to gain administrative access to the WordPress installations by using a dictionary attack on popular administrator user names. CloudFlare's Matthew Prince speculates that one motivation for the attack might be to compromise the underlying web servers to gain new members of the botnet; web servers at professional hosting companies are especially desirable as members of botnets as they are running on more powerful hardware and have access to better network resources than end user machines. According to Sucuri, the attackers have installed the Blackhole exploit kit on some of the compromised WordPress hosts which would allow them to compromise systems where a user had browsed the WordPress blog.
While similar attacks have been plaguing WordPress installations for years, the scale of the botnet being used makes this instance noteworthy. WordPress founder and chief developer Matt Mullenweg recommends that users change their administrator user names to something that is not "admin". He also says that implementing IP limiting for the administrator interface does not work well due to the number of IPs in use by the botnet. The usual advice of ensuring you have a strong password of a sufficient length also applies.