If you manage or own a website on a content management systems (CMS) you know that invalid login attempts are an everyday occurrence. We see literally thousands of invalid login attempts from dozens of different IP addresses in the course of any given day. This is considered normal. However hosting providers worldwide are reporting they are seeing a systematic, well organized attack. The attacks on content management systems are well above average and often times at catastrophic levels.
This attack started on or about April 8th, but the hackers became extremely aggressive overnight on April 12th. They have already shut down 10's of thousands of servers running WordPress. They have also affected the performance of many other servers. The attack started with WordPress installations, according to Sophos EndUser Protection (a major player in the web security industry), Joomla and Drupal website are now also getting hit.
The attack began with a botnet made up of at least 90,000 hacked home based computers. This is not a "brute force" attack like we see every day. This onslaught is using what is known as a "dictionary" attack. This is where the hacker uses a list of the most likely usernames and possible passwords and tries those in very quick succession. Even when the attack fails, the load the attacks on multiple websites puts on a server can cause it to crash.
The early indications are that hackers are installing malicious scripts in the content management systems that have been compromised. These malicious scripts turns the infected website into an attacker to hack other websites. This is the reason this attack is going viral. According to Matthew Prince, the chief executive of web hosting company CloudFlare, these hackers are causing much more damage because the infected servers have large network connections and are capable of generating significant amounts of traffic for the attackers.
If you have not already done so, we strongly recommend you take the following steps to protect your wordpress installation:
- Make sure your WordPress installation and all of your installed plugins are updated
- Make sure your administrator’s password is secure
- If you have a user account with the username “admin”, create a new administrator account with a different username and remove that old “admin” account
- Install the security plugin WP Better Security
- Other ways of securing a WordPress website can be found here; https://codex.WordPress.org/Hardening_WordPress
These additional steps can be taken to further secure WordPress websites:
- Remove README and license files. This is very important since this exposes version information
- Prevent reading of the htaccess file
- Limit access to wp-admin.php and wp-login.php to your IP address
- Move wp-config.php up one directory and change its permission to 400
We will continue to monitor this attack and we will post updates as more information becomes available.