What you should know about the ongoing botnet attack against WordPress websites.

Since WordPress is the most popular CMS in the world, there should be no surprise that it is also the most highly targeted from bots / brute force attacks, looking for any and every weakness to exploit. News about these attacks have been circling in the WordPress community and system administrators have reported a giant leap in brute force attempts since April this year.

From the start, there are a few basic things you should absolutely make sure of to prevent the majority of Ground Zero hack attempts on your website.

First:

Do not use the username ‘admin’. Make your administrative account something unique, however, bots are getting smarter, more recent attacks have also attempted logins with usernames parsed from the domain. For example, failed logins for examplesitename.com might include the users “example”, “site”, “name”, “examplesite”, etc. It’s only a matter of time before attackers begin parsing usernnames from post authors as well.

Even if you have what you consider a secure and unique username, you should install an IP blocking plugin, my recommendation is Wordfence. When a botnet finds out you are using WordPress and targets your site, your server is effectively getting DDoS’d – Even if user accounts are never compromised, each attempted login sends a query to MySQL. Sustained brute force attacks will cause your server’s memory usage to spike, potentially taking the server and your website offline. By installing a blocking plugin such as WordFence, you can block the IP the second a “user” logs in with a username that doesn’t exist. 99.9999% of the time, this is the user admin.

Here’s a recent screenshot of the IP’s that have been banned on my site recently.

blocked ips

We blocked 350IPs in the first hour, the returns are diminishing since those bot nets are banned and now on average we block 1IP / hour.


 

Second:

Another helpful plugin to install is Better WP Security.

Better WP Security is an excellent tool for securing WordPress, and it’s especially helpful for obfuscating the login path. It also showcases a very user friendly Dashboard with a color-coded list of potential security threats. Red for high risk, yellow for medium and green for secured items.

wp-security

Better WP Security is a great starting point and can be used in conjunction with WordFence, the primary reason I recommend WordFence is the ability to immediately ban nonexistent users which reduces the server load significantly.

The most recent tactic hackers are using to exploit vulnerable WordPress installations is simply by using Google. If an exploit is found in a theme, one simple Google search will list thousands of websites with that theme installed. It’s a tactic deemed Google Dork . 

It’s a crafted search that exposes websites running a vulnerable theme, plugin or application in the Google search results. A recent example of this is the Ghost theme vulnerability. In the exploit that has been published online, hackers include a Google Dork to find websites running this theme. In the case of Ghost, hackers use the following crafted search to find vulnerable sites:

inurl:wp-content/themes/Ghost/

inurl

As you can see the above search yields about 20,000 results, enough to keep a hacker busy probing sites for quite some time.

How could you combat this if you find out your theme had an exploit? Change the wp-content folder name, wp-content is the biggest give away a site is running WordPress at all.

Better WP Security can do this for you, just make sure to do it upon initial install or all the links to your images and theme content will be broken.

wp-content

 

Besides the ‘admin’ user name, this is arguably the most important thing you can do to harden your site against an attack.

Tags: , ,

Leave a Reply