An unusually powerful  online attack, using more than 90,000 IP addresses , is currently ongoing  against WordPress blogs with weak admin credentials.  Targeted at vulnerable WordPress users who still use the default “admin” username,  this brute force dictionary-based  password-guessing attack  is trying thousands of passwords to crack their administrative credentials .

Now password-guessing attacks of this sort happen all the time, right? What’s all the fuss about? Analysts are speculating that this attempt is just a warm up for a much  wider and larger attack that is to come. How?  The avalanche effect.

Sites which are broken into (and thousands have been), will be seeded with a backdoor which will give access to the  attackers to control the site remotely.  These sites will then be used just like 90,000 IP addresses mentioned above and conscripted into the attacking server botnet, thus forced to launch password-guessing attacks against other sites running WordPress.

So the attacker who as of now seems to be using a weak botnet/network of home PCs, which are connected to the Internet with a mere 10 megabit or 20 megabit line,   will soon have a much larger botnet of huge servers having essentially unlimited Internet bandwidth and  large network connections , thereby capable of generating a huge amount of traffic on an unprecedented scale that might affect the entire internet infrastructure and slow it down  on a global level. Scary, right?

If you haven’t locked down your website properly, now is the time to spur to action because chances are it  could be hijacked by cybercriminals for their own purposes, without you even knowing.

Maintain strong passwords: Let’s kick off the list with the easiest step you can implement immediately. Use strong passwords including upper/lower keys, numbers and symbols.

Rename the administrative account: Create a new user with administrator rights and delete “admin”-the default administrator of WordPress powered sites.

Install a login limiter for WordPress:  A login limiter can essentially block the IP address which tries and fails to send login requests above a threshold rate. For example, three consecutive failed login attempts can be backed up with a penalty timeout of 1 hour and an e-mail notification to the website owner about the same. Two WordPress plugins which let you enforce a login limiter are Limit Login Attempts and  Better WP Security.

Enable Two factor Authentication: Two Step Authentication for WordPress.com accounts  was released just a week back and we strongly recommend that you deploy it.

Keep up to date with the latest version of WordPress:  WordPress team creates patches to help fix security holes at frequent intervals.  Keep a tab on them and also new versions of  plugins and themes.

Posted in: Security.
Last Modified: April 20, 2013