WordPress Sites Targeted by Brute Force Attack
Last updated on: September 7, 2020
Last week, HostGator and CloudFlare reported an ongoing attack against WordPress sites. With over 60 Million downloads, WordPress is a popular tool used to produce and run websites. It has been downloaded over 60 Million times and can be found at the core of many of the Alexa top websites.
The attack is simple, but will no doubt capture a number of naively configured WordPress systems. It aims to gain control over WordPress installations by guessing the password to the WordPress Administrator account, named by default “admin”. Apparently the attacker controls a botnet of roughly 90,000 computers that have been instructed to seek out WordPress instances and to use a dictionary over 2,500 common passwords in a brute force password attack.
While there are a number of measures that can be used to defend against this simple attack, such as renaming the built-in administrator account, in general using strong passwords and banning aggressive attack IPs, we recommend enabling 2-factor authentication. It is the best solution, because it provides the most durable protection from this attack and others that will undoubtedly follow in the future. In my WordPress instances, I use the Google Authenticator Plugin and authenticate through my smartphone, similar to the process I follow with my GMail and Dropbox accounts. However, there are other good options available such as authy (www.authy.com) and Duo Security (www.duosecurity.com). If your blog is hosted by WordPress itself on wordpress.com, 2-factor authentication is available as well. WordPress just recently added Google Authenticator support, which can be activated under Manage my Blogs – Settings – Security.
Finally, if you don’t know if or how many WordPress blogs you have in your organization, I recommend running a scanner on your perimeter IP address to detect all installations. We have a free tool to run such a scan, “Blind Elephant” (http://blindelephant.sourceforge.net/), that you can use. Of course if you are a Qualys customer, you can use our normal vulnerability scan and look for QID: 45114 “Web Applications and Plugins Detected,” which lists your WordPress, Joomla, Drupal, etc instances. If you are interested in the technical background on this process, take a look at the whitepaper in the BlindElephant Qualys Community Page, at: https://community.qualys.com/community/blindelephant.