Hackers Have Brute-Forced Admin Usernames and Passwords of 20,000 WordPress Sites

WordPress Brute-Force Attacks

When security researchers say that adding '123' to the end of a weak password isn't doing a whole lot to improve its security, many people tend to think that the paranoia levels are running too high. Users reckon that while the hackers might try to guess a short, simple password, they won't bother with any different variations. Everybody is free to believe in whatever they want, but there's little point in arguing when you see an example proving that one opinion is wrong and the other isn't. Last week, researchers from Wordfense described one such example.

Hackers are compromising websites on a large scale

There's a wide-reaching brute-force attack aimed at WordPress admin accounts. WordPress, in case you don't know, is by far the most popular Content Management System (CMS), and according to W3Techs, it's used by almost a third of all websites.

The targets are plentiful and compromising them can give hackers quite a few options. By breaking into a website's admin panel, they can do anything from altering the published content and defacing the entire website, to stealing data, using the website to host malware, or hijacking visitors' hardware resources to mine cryptocurrency. More than 20,000 WordPress installations have already been compromised, but the hackers are not using them for any of the aforementioned activities. For now, they appear to be doing nothing more than adding more and more WordPress websites to what is already a pretty substantial botnet.

A simple but effective modus operandi

The group responsible for this attack has already managed to wreak some considerable havoc, and by the looks of things, there's nothing to slow them down for now. That said, they don't seem to be using the most sophisticated techniques out there.

Wordfense's experts had little trouble finding out how the whole infrastructure is laid out, for example. There are four Command & Control (C&C) servers hosted by a couple of providers which allegedly have a very relaxed attitude towards abuse cases. When they tried to access the C&Cs, the researchers were presented with a login form, but they quickly realized that bypassing it is easy and they managed to get a lot of information about the whole operation. The attackers use 14,000 proxy servers to send brute-force scripts and lists of target domains to websites that are already infected. The brute-force attempts are aimed at WordPress' XML-RPC interface which is pretty traditional. Not exactly a ground-breaking effort, it must be said. The mechanism itself, however, is interesting.

As we established in the first paragraph, people, and this includes website administrators, use simple patterns in an attempt to enhance the security of their passwords, and hackers know this. They know that if the domain is example.com, the password that unlocks its admin panel might be "example". They know that it could also be "example1" or "example123". They know that if Bob's username is "Bob", his password might be something along the lines of "Bob2018". The brute-force mechanism in this particular attack comes with a dynamic wordlist that creates all these variations which are later tested against the targeted domains. Once again, we're not talking about something especially sophisticated, but on a scale as large as this one, it's proving to be rather effective.

When Wordfense's researchers published their blog post, the C&Cs and the infected websites were still online, but they noted that they're working with law enforcement to fix the issue. In other words, website administrators the world over are at risk and should take the necessary precautions to ensure that their websites don't fall in the attackers' hands.

Protecting WordPress websites from brute-force attacks

There are many things you can do to make a WordPress website more secure. Updating the installation to the latest available version, for example, is a very good idea. Enforcing a limit on the number of failed login attempts or allowing access to the admin panel from specific IPs only would also help. If you set up a two-factor authentication system, the correct password won't be enough, and because the XML-RPC protocol is targeted so often, some experts even say that unless you really need it, you should disable it.

Before you consider any of these steps, however, you must think about your password. If it's short, it needs to be changed. If it's easy to guess, it needs to be changed. If it's been used anywhere else, it needs to be changed. Hopefully, by now you've realized that adding "123" to the end is not good enough.

Having a dedicated password management tool like the Cyclonis Password Manager really is the way to go if you want to create and store long, unique passwords quickly and easily. To learn more about it click here.

December 13, 2018