WordPress Sites Under Attack By Hackers, Admin User Names At Risk
April 15, 2013

WordPress Sites Under Attack By Hackers, Admin User Names At Risk

Michael Harper for redOrbit.com — Your Universe Online

Hackers began targeting WordPress sites last week in a supposed attempt to gain access to host servers rather than the actual sites themselves. This attack acts as further proof that default logins are incredibly unsafe.

The botnet being used to lodge the attack against WordPress sites is targeting accounts with the username “admin” and is trying common passwords to break into the accounts. According to Internet traffic watcher CloudFare, the botnet is “relatively weak” with only “tens of thousands” of home PCs enlisted.

WordPress´ Founder Matt Mullenweg has acknowledged the ongoing attack on his blog and says the easiest solution is to simply protect the site with a new username and strong password.

“Here´s what I would recommend: If you still use “admin” as a username on your blog, change it, use a strong password, if you´re on WP.com turn on two-factor authentication, and of course make sure you´re up-to-date on the latest version of WordPress,” wrote Mullenweg.

WordPress gave users the option to pick a custom username a few years ago when they released version 3.0. According to Mullenweg, many users never bothered to change their name and left it stagnant at “Admin.” The attackers likely caught on and began looking to pick off easy targets.

WordPress also just recently began offering a two-step authentication log-in option which would also help protect a site against being overtaken by this weak botnet and others. Mullenweg said changing the username and password as well as turning on two-step authentication will put users “ ahead of [99 percent] of sites out there and probably never have a problem.”

The botnet may be weak, but the attack is substantial. According to W3Techs.com, WordPress powers nearly 17 percent of all websites on the web.

CloudFare said the botnet used in this attack is taking a somewhat lazy approach to break into websites. Once the user´s account is compromised, however, the botnet attempts to hack into the server with the end goal of becoming a stronger botnet. At present, the network of computers is comprised of home PCs and is therefore not capable of handling large amounts of traffic. The botnet is using a brute force attack, targeting “admin” usernames, then pumping dictionary passwords into the site until they find the right one. Once enough servers have been hacked into, the botnet could be able to launch stronger distributed denial-of-service (DDoS) attacks against larger networks.

Though Mullenweg says that simply changing the username and password to an account will make an account all but immune, some companies are offering extra protection. These companies are offering plugins which offer firewalls to block out bots as well limit how many login attempts can be used to gain access to the site.

Attacks such as these are occurring with increasing regularity even though the best protection against them is quite elementary. Choosing a strong password is the easiest way to thwart would-be attackers. Many companies are also beginning to offer two-step authentication to their users. This process makes it even more difficult for attackers to gain access to your account.

A group of unnamed “researchers” revealed last month that the web is a very unsecured place. They reported that an estimated 1.2 million Internet-connected printers, routers and webcams are only protected by default passwords. Though these devices may not seem as important as computers and networks, this research proves many people have a lax attitude towards security.