WordPress under attack

Ray Penalosa

We have seen an influx of attacks against WordPress sites. The attack is an old method called brute force attack. The main targets are WordPress sites that still use the default administrative login “Admin.” With half of the credentials pretty much solved, the attacker repeatedly inputs a password until it finally finds the right one.

This lapse in security has been well known in the WordPress community. It has been asked by Tony Perez why WordPress themselves have not offered a stronger password restriction and require that the Admin login be changed; the response he and the WordPress community received was “it’s just not a relevant issue.”

The fix for this is fairly simple. First make sure you update the administrative credential from the default “Admin” user name to something more personal. Second step is to update the password to be more sophisticated. It is recommended that you have a minimum length of 8 characters, including letters, numbers, and special characters such as “#”, “$”, or “%”. Incorporating lower case and upper case characters in your password will also help strengthen it.

The exploit has had a substantial impact on web hosting companies like DiscountASP.NET. When a personal computer gets compromised, there is a limit in the bandwidth that computer may have, but with a web hosting company the bandwidth is almost unlimited. When a WordPress site is compromised, the hacker then uses that site to send out attacks on other servers and hosting companies.

With the nearly unlimited bandwidth at their disposal, the effects can be devastating. The owner of the account is affected as well. With high bandwidth consumption, they may be charged to pay extra for the bandwidth usage their WordPress site utilizes.

Another security measure that can be employed to mitigate this attack is to incorporating WordPress 2 step authentication.  This is an optional new feature you can enable for your WordPress site. It uses the Google Authentication App.

It is a second verification input on top of the password that obtains a random generated code from Google Authentication App. This verification code is updated every 30 seconds making it impossible to guess. You may want to read more on this new security feature on this WordPress link.

Make no mistake that WordPress themselves are taking this attack seriously, and the effects have been wide spread among many hosting companies.

If you want to find out more about this wide spread attack against WordPress sites, here are a couple of links that you might find helpful:

http://ma.tt/2013/04/passwords-and-brute-force/

http://www.bbc.co.uk/news/technology-22152296

Coincidentally this attack not only targets WordPress but Joomla web applications as well. I did not research any Joomla attacks, but if you have a Joomla site and you are using it’s default administrative login “Admin”, you may want to update the login name, and provide it a more complex password just in case.

Leave a Reply

Your email address will not be published. Required fields are marked *