A report from the BBC News website reported:
WordPress website targeted by hackers
WordPress has been attacked by a botnet of “tens of thousands” of individual computers since last week, according to server hosters Cloudflare and Hostgator.
The botnet targets WordPress users with the username “admin”, trying thousands of possible passwords.
The attack began a week after WordPress beefed up its security with an optional two-step authentication log-in option.
The site currently powers 64m websites read by 371m people each month.
According to survey website W3Techs, around 17% of the world’s websites are powered by WordPress.
“Here’s what I would recommend: If you still use ‘admin’ as a username on your blog, change it, use a strong password,” wrote WordPress founder Matt Mullenweg on his blog.
He also advised adopting two-step authentication, which involves a personalised “secret number” allocated to users in addition to a username and password, and ensuring that the latest version of WordPress is installed.
“Most other advice isn’t great – supposedly this botnet has more than 90,000 IP addresses, so an IP-limiting or login-throttling plugin isn’t going to be great (they could try from a different IP [address] a second for 24 hours),” Mr Mullenweg added.
Matthew Prince, Chief Executive and co-founder of Cloudflare, said that the aim of the attack may have been to build a stronger botnet.
“One of the concerns of an attack like this is that the attacker is using a relatively weak botnet of home PCs in order to build a much larger botnet of beefy servers in preparation for a future attack,” he wrote in a blog post.
“These larger machines can cause much more damage in DDoS [Distributed Denial of Service] attacks because the servers have large network connections and are capable of generating significant amounts of traffic,” he added.
Hi-tech crime terms
- Bot – one of the individual computers in a botnet; bots are also called drones or zombies
- Botnet – a network of hijacked home computers, typically controlled by a criminal gang
- Malware – an abbreviation for malicious software ie a virus, trojan or worm that infects a PC
- DDoS (Distributed Denial of Service) – an attack that knocks out a computer by overwhelming it with data; thousands of PCs can take part, hence the “distributed”
- Drive-by download – a virus or trojan that starts to install as soon as a user visits a particular website
- IP address – the numerical identifier every machine connected to the net needs to ensure data goes to the right place.
Many Irish websites attacked, and further information provided by Blacknight revealed that:
Last Tuesday they began to see high load on a small number of their shared hosting servers, upon investigation they saw the cause was an unusual number of login requests to the admin section of WordPress sites.
It quickly became obvious the scale of this attack was far greater than the usual attacks seen on self-hosted WordPress sites and was the work of a large botnet.
Our technical team work around the clock to ensure servers and services remain online and work as expected. While many hosting companies began reporting the attack and took action at a server level, including in some cases blocking access to wp-login, we worked to mitigate the issue at a network level. This was due mainly to the large number of servers involved.
The attack slowed down on occasions during the week and then increased again with some characteristics changing to overcome the defence mechanisms that were put in place.
By Friday afternoon the attack was no longer growing and the number of new IPs we were seeing had reduced greatly, the attack continued to slow at the weekend.
So here are some numbers and statistics that we are happy to share.
Over the week our Engineering team recorded over 10 million login attempts originating from over 190,000 IPs, of that we blocked 65,000 IPs from over 183 countries, from our network during the attack.
Top 30 – blocked IPs by country
13866 : BR, Brazil
6313 : TR, Turkey
2909 : MX, Mexico
2419 : IN, India
2252 : PL, Poland
2171 : ID, Indonesia
1862 : VN, Vietnam
1795 : AR, Argentina
1751 : KR, Korea, Republic of
1568 : RS, Serbia
1431 : GR, Greece
1392 : PT, Portugal
1366 : FR, France
1319 : TH, Thailand
1281 : EG, Egypt
1185 : VE, Venezuela
1118 : MA, Morocco
1035 : DZ, Algeria
907 : RU, Russian Federation
873 : CL, Chile
801 : BA, Bosnia and Herzegovina
796 : UA, Ukraine
775 : SA, Saudi Arabia
769 : ES, Spain
754 : RO, Romania
752 : IT, Italy
728 : CO, Colombia
569 : MY, Malaysia
527 : PE, Peru
475 : US, United States