Major WordPress Exploit: Attack Affects Millions of Sites

The widely used publishing platform faced one of its toughest attacks to date. Hackers hit numerous WordPress-based sites using what is being called "brute-force."

If your association, or even your personal blog, uses WordPress, you’ll want to read this.

Last week, reports surfaced of a massive attack on sites using the popular platform, which accounts for 18 percent of all websites currently on the internet. The attacks, referred to as brute-force attacks due to their persistent style, appear to be focused on setting up a large-scale botnet utilizing compromised sites for a wider-scale usage. (The Joomla platform is also reported to be under attack.)

The WordPress exploit has been going on for a number of days, and security researchers are not sure when it will end.

What you can do:

Change your password. The most important piece of advice for WordPress users is to stiffen their passwords. As the current attack is reported to be using a dictionary attack spread out over thousands of IP addresses (HostGator put the number at about 90,000 on Friday), the attackers have the potential of finding a weak password to a WordPress installation quickly. A good password includes a password length of eight characters or longer, uppercase and lowercase letters, along with numbers and symbols.

Replace your “admin” account. While WordPress accounts are required to have an administrator account, the main vector being used in the current attack is based around the fact that most WordPress installations default to using an account literally called “admin,” giving attackers a single point of pressure to focus on. (Other account names being targeted include “test,” “administrator,” and “root,” according to InformationWeek.) The creator of the platform, Matt Mullenweg, says the best policy to keep yourself safe is to replace your “admin” account with an account using another name, in an effort to make it harder to target. The Digital K Blog explains how. If you’d like to try a more technical approach, Melbourne Server Hosting offers suggestions that involve changing some root files.

Use a cloud-protection service. If you’re using a self-hosted version of the WordPress software, especially on a smaller host, it may prove fruitful to add a firewall to your installation to block off the extra traffic you might receive from such an attack. The Cloudflare service, which was one of the first to report the attack, offers functionality designed to protect end users from such brute-force attacks. “Because CloudFlare sits in front of a significant portion of web requests we have the opportunity to, literally, patch internet vulnerabilities in realtime,” the company explains. While the service has pay options with more features, they do have a free version available to many customers.

Go two-factor. With the help of a cellphone, you can keep your login information safe from attackers by adding an extra layer of protection. The style of password protection is growing in popularity, with many services offering it (though Twitter is a notable exception). While WordPress only offers two-step authentication for its hosted service, you can add it to your site with the help of Duo Security’s Duo Push product.

This isn’t the first time WordPress sites have been targeted. A popular WordPress plugin, TimThumb, was used as an attack vector for a botnet attack that targeted a number of banks last year.


Ernie Smith

By Ernie Smith

Ernie Smith is a former senior editor for Associations Now. MORE

Got an article tip for us? Contact us and let us know!