How to Avoid Being Hit by the WordPress Attack
CREDIT: WordPress Foundation
An ongoing brute-force attack on WordPress-based websites has compromised more than 90,000 blogs, but there are simple ways to make sure your blog won't be next to fall.
Brute-force attacks, as their name would suggest, are some of the least sophisticated hacks out there, rapidly cycling through common directory names, passwords and IP addresses in order to access private files through sheer dumb luck.
Given how many websites and blogs have fallen victim to the WordPress attack, the Menifee, Calif., security firm Sucuri wanted to find just how many brute-force attacks against the WordPress platform occurred on a daily basis, and how effective they were.
The bad news is that such attacks happen to WordPress blogs tens of thousands of times per day; the good news is that stopping them cold is simplicity itself. [See also: Hackers Attack 90,000 WordPress Blogs]
Sucuri examined the data logs from its own WordPress blog and discovered that between December 2012 and April 2013, hackers had launched almost 5 million brute-force attacks.
Until they investigated, Sucuri's security experts had not even noticed these attempted intrusions.
The attempted hacks used very predictable patterns. To log into protected accounts, the hackers tried five usernames in overwhelming numbers: "admin," "test," "administrator," "Admin" and "root."
Tens of thousands of password attempts involved commonly used passwords like "admin," "qwerty," "123456" and "password."
The experts also investigated where the attacks came from, and discovered 30 IP addresses that stood out above the rest.
If you run a website that's been bombarded with hack attempts, check the list. Bringing attention to common attack origins is the first step toward getting them taken down.
The 90,000 WordPress blogs that got hacked and roped into joining the attacking botnet generally possessed easy-to-guess usernames or passwords, and their takeovers most likely could have been prevented with some creativity.
If you use common usernames or passwords for WordPress login credentials — or for any other information you store on the Web — simply changing them to something uncommon will prevent the vast majority of brute-force attacks. Making them hard-to-guess will render you all but immune.
One interesting bit of data that Sucuri gathered involved "common" passwords that didn't appear to be common at all.
The attackers made thousands of brute-force attempts with passwords such as "#@F#GBH$R^JNEBSRVWRVW" and "RGA%BT%HBSERGAEEAHAEH." These strings of letters and symbols do not appear to have any kind of pattern, yet are too consistent and repetitive to be truly random.
Both the Sucuri experts and the commenters on its blog posting were stumped, and feared that brute-force hackers might know something they don't.
Our own efforts to discover the root of these supposedly common passwords came up dry. After breaking down the character strings into a binary code of 1s and 0s, we tried to translate them into other character formats, hoping that the passwords might mean something in non-Latin alphabets. Nothing recognizable came up.
Although brute-force attacks are as pervasive as Sucuri suspected, they are also very easy to avoid. If you're going to get hacked, at least make sure that the attacker has to put some effort into it.