Breaking News Security

WordPress, Joomla Users Victims of ‘Brute Force’ Attack By Botnet

passwordThe ongoing botnet attack against poorly-secured WordPress-run sites reinforces the need for strong passwords, security experts say.

A network of more than 90,000 IP addresses is responsible for an ongoing “brute force” attack against sites and blogs using the WordPress’ default username ‘admin.’ Some Joomla users have also been hit. The campaign first came to light late last week and picked up steam over the weekend.

Online security firm Sucuri is reporting a significant rise in the number of such attacks.

The company’s data showed an average of 30,000 to 40,000 blocked attacks per day from last December through March. In April, hacking attempts spiked to more than 77,000 per day and reached more than 100,000 in the past few days.

According to Sophos security expert Paul Ducklin the online assault is known as a dictionary attack, a method in which the hacker tries the most common usernames and passwords in quick succession to breach accounts.

“The idea is simple: automate the password guessing, speed up the attack, and don’t spend too long on any individual site,” Ducklin wrote on the Sophos blog. “Look for the low-hanging fruit, and harvest it as quickly as you can; if you can’t get in within a few hundred or thousand attempts, move on to the next potential victim. It’s doorknob rattling, but on an industrial and international scale.”

Sucuri CTO Daniel Cid posted a list of the top user names being attempted: admin, test, administrator, Admin and root. The username admin is by far the most popular attempt, he added. In fact, it is tried 60 times more often than any of the other common user names.

“In these cases, by the shear fact of having a non- admin / administrator / root usernames you are automatically out of the running,” Cid said.

The most common passwords being attempted are: admin, 123456, 12345, !@#%^, 123321, qwerty, 12345678, 1234, 123123, password, 666666, 121212 and pass.


Sophos image
Sophos image

Founding developer of WordPress Matt Mullenweg recommends anyone who uses admin as his or her username change it immediately and implement a strong password.

“If you’re on turn on two-factor authentication, and of course make sure you’re up-to-date on the latest version of WordPress,” Mullenweg wrote in a blog post.  “Do this and you’ll be ahead of 99 percent of sites out there and probably never have a problem.”

Password-guessing attacks such as these are common, Ducklin said.

In this case, the attack volume “has been sufficient to attract global attention, which is a good thing, but it’s currently thought to be only about three times the usual level,” he said.

“In other words, even when ‘normal service’ is resumed, we’ll all still be firmly in the sights of the cybercriminals, so take this as a spur to action.”

Online security provider CloudFlare is warning that attacks such as this could spell trouble in the future.

CloudFlare CEO and co-founder Matthew Prince said the attacker is using “a relatively weak botnet of home PCs” to construct a significantly larger botnet “of beefy servers in preparation for a future attack.”

“These larger machines can cause much more damage in DDoS attacks because the servers have large network connections and are capable of generating significant amounts of traffic,” he wrote in a blog post. “This is a similar tactic that was used to build the so-called itsoknoproblembro/Brobot botnet which, in the fall of 2012, was behind the large attacks on U.S. financial institutions.”




About the author


Jennifer Cowan

Jennifer Cowan is the Managing Editor for SiteProNews.


Click here to post a comment
  • It’s most critical than ever to defend WordPress websites, otherwise there’s the risk that they can even be turn out to be used for criminal activities.

    I already had safety measures in place to avoid brute force penetration but after seeing more than 10 thousand tries to logon into my blog in recent days I made the decision that whether or not they failed it wouldn’t harm having even tighter security.

    As WordPress founder Matt suggests, having a strong password and making sure you have most up-to-date version of WordPress is an sufficient protection. The botnet is quite literally guessing account details, if you have something which is simply not guessable you will be safe.

  • WordPress will never be secure. It doesn’t matter how much protection and security prevention. Even having great password protection, secure plugins, etc. will not protect the poor coding that WordPress displays. WordPress is easy prey for hackers.

  • Well, recently Brute force Attacks have increased significantly, becoming a dangerous problem for all WordPress users, but it is manageable. I mean, by using security methods, we can move brute force attacks out the window. Although, it can be difficult for newbies, who just got started with WordPress, they can learn by reading posts online and then can implement security.
    In my view, implementing only three tricks works very well, Changing Login Slug, A content Delivery network (CDN) and a Security Plugin, which bans IP address after a few Login attempts.

  • This is serious issue and increase gradually.I have not much knowledge about this.After that i try to search about this.I get much information about that here.Thanks for this.