Hackers Using Brute-Force Attacks to Harvest WordPress Sites

Months of distributed denial of service attacks against major U.S. banks have evolved in magnitude and ferocity causing service disruptions for online banking customers. They’ve also shown the way for other attackers to adapt and evolve techniques used in those attacks.

Months of distributed denial of service attacks against major U.S. banks have evolved in magnitude and ferocity causing service disruptions for online banking customers. They’ve also shown the way for other attackers to adapt and evolve techniques used in those attacks.

Apparently, someone is building a formidable botnet of compromised WordPress accounts that is likely to be used in a much larger attack, some experts are speculating. Similar to some of the late-stage bank DDoS attacks that used Web servers to generate unprecedented levels of traffic targeting online banking services, this WordPress botnet could be as disruptive.

Attacks against WordPress sites began last week, when some Web hosts and security experts reported brute-force attacks against administrative credentials using a combination of “admin” as a user name, and a list of common passwords. Compromised sites built on WordPress would notice slower back-end operations, log-in difficulties, or downtime.

Web host HostGator said it had seen more than 90,000 IP addresses involved in the attack. “The attack is well organized and very distributed,” wrote engineer Sean Valant on the company’s Gator Crossing blog.

Sucuri Security, a Web monitoring company in California, said it has noticed the number of log-in attempts blocked on the customer sites it monitors more than triple through the first two weeks of April—more than 77,000 a day. It added that common user names such as “admin”, “test,” “administrator,” “Admin,” and “root” top the list of log-in attempts. As for password attempts, “admin,” “123456,” “qwerty,” and many other common passwords are being used in the brute-force attacks.

CloudFlare CEO Matthew Prince said the attackers could be using a botnet of home PCs to build a bigger arsenal of compromised machines.

“One of the concerns of an attack like this is that the attacker is using a relatively weak botnet of home PCs in order to build a much larger botnet of beefy servers in preparation for a future attack,” Prince said. “These larger machines can cause much more damage in DDoS attacks because the servers have large network connections and are capable of generating significant amounts of traffic.”

Attacks against U.S. banks spiked in January and again in March to upwards of 100 Gbps of traffic, sent from a relatively small number of compromised Web servers. Attackers, claiming to be protesting a movie “Innocence of Muslims,” are taking a liking to Web servers as a launch pad for DDoS attacks because of the higher processing power of a server, bandwidth and access they have to a Web host’s network and bandwidth.

In October, security company Prolexic identified one of the tools used in the attack as an offshoot of the Brobot, or itsoknoproblembro, toolkit. The malware attacks content management systems such as WordPress or Joomla and is capable of launching high bandwidth attacks at multiple targets simultaneously, a signature of the bank DDoS attacks.

Experts are recommending that WordPress managers change their log-ins, both user names and passwords. There are also security plug-ins available and two-factor authentication options available from WordPress. CloudFlare has also released a free tool that it said mitigates this attack.

Suggested articles


  • Jan van Niekerk on

    Wordpress.com does not believe that allowing "admin" as a password is a security matter, and do not accept this as a bug report. There's an obscure plugin you are supposed to track down which stops it. Also, admin:admin has been used against both wordpress and joomla for almost a year now.
  • Jeff Yablon on

    Besides writing about this yesterday at answerguy.com, we happened to do a video on this subject just last week, as well.


    It's a real issue, but the truth is that it takes very, VERY little to protect against this kind of thing.

  • Ed Cooper on

    We've tried to protect our WordPress install from this, I've written a guide http://blog.ed.gs/useful/wordpress-brute-force-protection-hack/
  • Ayrat Zakirov on

    I found Securitron plugin helpful against bots.(http://www.b2beservices.com/files/Securitron_v1_0_1.zip)
  • Christopher Nankervis on

    I've been at the end of an attack for the past few days. Each IP (device) in the attack attempted to login to the wp-login area of my WordPress blog. I counted around 3000 different IPs - and the default setting allows up to 5 password attempts from each. As you can imagine that accounts to 15'000 guesses - so whilst this is a small risk, don't ever use a single dictionary word as your password. The most annoying thing is the bandwidth usage is pushed up, which can be both a headache for yourself and the website hosting company. I suggest several solutions: (1) Stop the bot growing. Only use strong passwords, remove redundant add-ons in WordPress, update your software regularly to fix known vulnerabilities etc. As you can imagine there are 200 million WordPress users in the word and if just 1% of these were hacked by brute force even stronger password combinations may be vulnerable to an attack. Don't join the viral bot! (2) The attack seems to be centered around Ukraine. This enables you to limit the "bandwidth" issues of the DDoS attack by inserting a country block. I observed this from my cPanel login - only possible for those that have installed their WordPress on their own domain. This is a set of IP addresses corresponding to the nuisance country and allows you to isolate your traffic to your desired countries. You can do this by inserting the relevant code into the .htaccess file of your WordPress route directory. See http://www.ip2location.com/free/visitor-blocker (3) Don't conform to the predictable WordPress setup. Limit the password guesses from 5 to 2. Not only does this reduce the odds in the extreme case of brute-force hackers gaining access by 60%, but it also catches them out. Most WordPress user accounts allow 4 incorrect password attempts, but the hackers will get a surprise "lock-out" when they incorrectly enter the second attempt. (4) When hackers are locked out of your website for entering incorrect passwords at wp-admin keep them out! The standard WordPress settings allow them to cycle password attempts every hour, starting the IP chain again with new entries. Keep them out by placing a permanent bar. Remember, it is easy to unblock yourself or a work colleague, but not easy to manually block everyone in the hacking group. Good luck!

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.