WordPress Sites Take Brute Force Battering

A botnet is battering WordPress sites with brute force attacks, but the CMS and blog provider says the issue is being blown out of proportion by security vendors wanting to promote their wares.

Various hosting providers and security companies have warned about the attacks over the last few days,  and it’s believed a botnet of over 90,000 bots is being used to guess passwords to WordPress, and some Joomla, websites.

WordPress is a prime target for hackers, largely because of its popularity. Often WordPress sites are hacked to serve up malicious content, so when people visit they get infected. This could rope them into a botnet and open their systems up for data theft.

WordPress battling brute force

The latest attack has been ongoing for at least a week, with HostGator, a major US hosting company, warning that little could be done to protect customers, especially those with servers running high numbers of WordPress installations.

“We are taking several steps to mitigate this attack throughout our server farm, but in the same breath it is true that in cases like this there is only so much that can actually be done,” it wrote on Thursday.

Melbourne Server Hosting, part of UK cloud computing company iomart Group, warned of the denial of service threat that came with the botnet strikes, noting it could “render your sites slow and in some cases, completely exhaust the resources available to your services causing a system crash”.

TechWeekEurope runs on WordPress and has not seen any slowdown, nor any breach.

Creator of WordPress, Matt Mullenweg, issued a curt response to the warnings, saying much of the fuss was being made by companies who “sell ‘solutions’ to the problem”.

Those companies included CloudFlare, which recently took some flak for allegedly overstating the threat to the global Internet of a 300Gbps DDoS on a single firm. This time it claimed to have patched the Internet in “real-time”, saying its free service would protect sites against these attacks.

Another company, Sucuri, chose to point out the “coincidence” that it had just released a product designed to repel brute force attacks.

“Right now there’s a botnet going around all of the WordPresses it can find trying to login with the “admin” username and a bunch of common passwords,” Mullenweg said.

Mullenweg recommended using stronger passwords, turning on two-factor authentication, and ensuring the latest version of WordPress is being used.

“Do this and you’ll be ahead of 99 percent of sites out there and probably never have a problem. Most other advice isn’t great – supposedly this botnet has over 90,000 IP addresses, so an IP limiting or login throttling plugin isn’t going to be great,” he added.

What do you know about Internet security? Find out with our quiz!

Thomas Brewster

Tom Brewster is TechWeek Europe's Security Correspondent. He has also been named BT Information Security Journalist of the Year in 2012 and 2013.

View Comments

Recent Posts

Three UK Investigates After Outage Impacted Some 999 Calls

Thursday outage of Three UK network impacts thousands of people, with operator confirming some 999…

1 day ago

CMA Secures Google Commitment To Tackle Fake Reviews

British competition watchdog secures undertaking from Google to tackle fake reviews, as Amazon probe continues

1 day ago

Trump Signs AI ‘Free From Idealogical Bias’ Executive Order

After earlier revoking Biden's AI safety executive order, President Trump signs new executive order to…

1 day ago

OpenAI’s ‘Operator’ Agent Automates Online Tasks

OpenAI launches AI agent called 'Operator' to automatically fill out forms, make restaurant reservations, book…

2 days ago

Pakistan’s Parliament Passes Bill For Strict Control On Social Media

Bill passed to give Pakistani government sweeping controls on social media, but critics argue it…

2 days ago

Indian Tribunal Suspends Meta’s Data Sharing Ban

After Meta had warned that India's data sharing ban could collapse WhatsApp's business model, tribunal…

2 days ago