Marked jump in brute force attacks against WordPress sites

djbaxter

Administrator
Joined
Nov 10, 2016
Messages
1,916
Points
113
If you haven't done a security audit on your WordPress sites recently, do it now!

Breaking: Aggressive WordPress Brute Force Attack Campaign Started Today, 3am UTC
by Mark Maunder, Wordfence
December 18, 2017

A massive distributed brute force attack campaign targeting WordPress sites started this morning at 3am Universal Time, 7pm Pacific Time. The attack is broad in that it uses a large number of attacking IPs, and is also deep in that each IP is generating a huge number of attacks. This is the most aggressive campaign we have seen to date, peaking at over 14 million attacks per hour.

The attack campaign was so severe that we had to scale up our logging infrastructure to cope with the volume when it kicked off, which makes it clear that this is the highest volume attack that we have seen in Wordfence history, since 2012.

The campaign continues to ramp up in volume during the past hour as we publish this post. A graph of the attack volumes is shown below which shows the number of attacks per hour and the number of attacking IPs that we see each hour.
massive-brute-force-attack-Dec18.png
Our infrastructure automatically blacklisted the participating IPs in real-time and distributed those to our Premium customers. This all happened unattended early this morning. We continue to monitor the campaign and are analyzing its origin and who is behind it.

What we know at this time:
  • The attack has so far peaked at 14.1 million attacks per hour.
  • The total number of IPs involved at this time is over 10,000.
  • We are seeing up to 190,000 WordPress sites targeted per hour.
  • This is the most aggressive campaign we have ever seen by hourly attack volume.
Read more
 
Last edited:

Gin

Member
Joined
Aug 17, 2017
Messages
74
Points
18
oh wow! now that's skeery. I wonder if it's specific type of sites or national security issues. :eek: I do my best to lock down my site but just learned maybe, I can do better.
 

djbaxter

Administrator
Joined
Nov 10, 2016
Messages
1,916
Points
113
oh wow! now that's skeery. I wonder if it's specific type of sites or national security issues. :eek: I do my best to lock down my site but just learned maybe, I can do better.
No, WordPress sites have always been considered easy targets because so many people set them up and just leave them for years, with weak passwords, outdated themes and plugins, and plugins or WordPress core versions with known and long-since fixed security vulnerabilities.

I own a few WordPress sites myself and monitor several others. They are all well protected but I see numerous brute force attempts on them every week. On top of that, I monitor my own server and see numerous brute force attempts on the server itself every day.

It's a jungle out there and hacking sites is not just done by kids for fun these days. There is money to be made if they are successful. They are seeking specific sites from which they can launch botnets as well as passwords and financial information.
 

azgold

MVP
Joined
Nov 6, 2014
Messages
756
Points
63
I read about this and I agree with @Gin that it's scary, especially for someone like me who has limited tech knowledge. I've no idea really, as to whether or not I've ever been hacked, they've ever tried, or how I would stop them.
 

Edvin

MVP
Joined
Oct 2, 2017
Messages
328
Points
63
...I've no idea really, as to whether or not I've ever been hacked, they've ever tried, or how I would stop them.
As much as we like wordpress for all its glory, we need to pay for third-party tools to help us secure it. The truth is that larger enterprises implement such services (internally or pay externally) to insure the security of their customers.

I installed the free version of Sucuri plugin, and received email notifications for admin login attempt.
So, I removed admin and changed my WP login to "edvin", and shortly after I started to getting email notifications for "edvin" login attempts. I suspect that the attackers/software use tools like whois.domaintools.com to identify domain owner for a login-name.

So, my admin login is something else right now.
The paid version of Sucuri does more; for example, it does file integrity check against known good sources.

While working with an ISP, I came across CloudFlare, which will sit in front of all your web traffic; thus, can automatically detect and block attacks like above.

If you do absolutely nothing, I strongly suggest that you remove/lock/change the "Admin" username to a non-standard login (i.e. MyBizNameIT), and your password is NOT a single dictionary word.
 

djbaxter

Administrator
Joined
Nov 10, 2016
Messages
1,916
Points
113
I use the Wordfence plugin on all my WordPress sites. It will automatically block hack attempts after X attempts in Y minutes (in my case, I have X and Y set to a small number, smaller than the defaults) and then they are blocked for a period of time (larger than the default).

It also blocks known malicious IPs automatically before they even try to hack your site.

And I have it send me emails about attempt to log in, successful or not, including my own logins or those of the clients who own the site. Then once a week it sends me summaries of all hack attempts and I block those IPs with larger numbers of attempts or those with malicious scans or attempts at uploading malicious files at the server level as a further barrier.

In case you missed it, the thread starter article was written by a Wordfence employee.

Quite honestly, I would not create a WordPress site that did not include the Wordfence plugin and I would not host a Wordpress site on my server that did not have the Wordfence plugin installed and active.
 

Latest posts

Top