Hosting providers around the world are seeing an increase in brute force attacks against WordPress and Joomla sites. Attackers are looking to gain access to and compromise accounts, but failing that, they are slowing down their targets or even rendering them unavailable as they exhaust the sites’ resources.
Melbourne Server Hosting is reporting that it has seen signs over the past 48 hours of increased attempts, while Immotion Hosting has noted they are coming from a large amount of IP addresses spread across the world. This would suggest the attackers are using a botnet to break in; HostGator has said at least 90,000 computers are involved while CloudFlare has noted it “more than tens of thousands of unique IP addresses” are being used.
- December 2012: 678,519 login attempts blocked.
- January 2013: 1,252,308 login attempts blocked.
- February 2013: 1,034,323 login attempts blocked.
- March 2013: 950,389 login attempts blocked.
- April 2013: 774,104 login attempts blocked for the first 10 days.
The top five user names being attempted are admin, test, administrator, Admin, and root. The top five passwords being attempted are admin, 123456, 666666, 111111, and 12345678. Obviously, if you are using any common user name or password, you should change it immediately.
In other words, Sucuri has been seeing 30 to 40 thousand attacks per day for the last few months, but this month that number has increased to 77,000 per day on average. In the last few days, the firm says the figure has reached more than 100,000 per day, meaning the number of brute force attempts has more than tripled.
For those who don’t know, a botnet refers to a group of computers (sometimes called zombies) that have been infected with malware to perform tasks for whomever distributed said threat. This individual, or organization, controls the botnet by sending instructions to the zombies from one or more Command & Control (C&C) servers.
A brute-force attack, meanwhile, refers to the systematic checking of all possible passwords (or just popular ones) until the correct password is found. A botnet is not required, but can help in the process as multiple computers can be used to check different combinations and avoid triggering multiple attempt limits.
While these attacks against popular content management systems are nothing new, the sudden increase is a bit worrying. Until the botnet in question is taken down, however, there is not much that can be done aside from ensuring you are taking every precaution. That includes using a solid username and password combination as well as ensuring your CMS and plugins are up-to-date.