WordPress Sites Take Brute Force Battering

carphone warehouse

WordPress says security firms are hyping tales of attacks

A botnet is battering WordPress sites with brute force attacks, but the CMS and blog provider says the issue is being blown out of proportion by security vendors wanting to promote their wares.

Various hosting providers and security companies have warned about the attacks over the last few days,  and it’s believed a botnet of over 90,000 bots is being used to guess passwords to WordPress, and some Joomla, websites.

WordPress is a prime target for hackers, largely because of its popularity. Often WordPress sites are hacked to serve up malicious content, so when people visit they get infected. This could rope them into a botnet and open their systems up for data theft.

WordPress battling brute force

The latest attack has been ongoing for at least a week, with HostGator, a major US hosting company, warning that little could be done to protect customers, especially those with servers running high numbers of WordPress installations.Wordpress Landscape

“We are taking several steps to mitigate this attack throughout our server farm, but in the same breath it is true that in cases like this there is only so much that can actually be done,” it wrote on Thursday.

Melbourne Server Hosting, part of UK cloud computing company iomart Group, warned of the denial of service threat that came with the botnet strikes, noting it could “render your sites slow and in some cases, completely exhaust the resources available to your services causing a system crash”.

TechWeekEurope runs on WordPress and has not seen any slowdown, nor any breach.

Creator of WordPress, Matt Mullenweg, issued a curt response to the warnings, saying much of the fuss was being made by companies who “sell ‘solutions’ to the problem”.

Those companies included CloudFlare, which recently took some flak for allegedly overstating the threat to the global Internet of a 300Gbps DDoS on a single firm. This time it claimed to have patched the Internet in “real-time”, saying its free service would protect sites against these attacks.

Another company, Sucuri, chose to point out the “coincidence” that it had just released a product designed to repel brute force attacks.

“Right now there’s a botnet going around all of the WordPresses it can find trying to login with the “admin” username and a bunch of common passwords,” Mullenweg said.

Mullenweg recommended using stronger passwords, turning on two-factor authentication, and ensuring the latest version of WordPress is being used.

“Do this and you’ll be ahead of 99 percent of sites out there and probably never have a problem. Most other advice isn’t great – supposedly this botnet has over 90,000 IP addresses, so an IP limiting or login throttling plugin isn’t going to be great,” he added.

What do you know about Internet security? Find out with our quiz!