I have another site totally unrelated to my WordPress blog. Today I received this notice:
Since yesterday morning, Lunarpages’ internal monitoring systems reported that WordPress users were subject to an unusually high number of attacks. Brute force attacks occur through exploited accounts at other hosting companies. The attacks are attempts to find users that have weak passwords and outdated installations. Once the attacker has found a WordPress account with a weak password, it’s used to gain access to the administration panel. Outdated versions of WordPress scripts are exploited and used to attack other hosting companies. Lunarpages has implemented additional security tools and is carefully monitoring traffic. However, the best form of protection against these attacks begins at the customer level. A tutorial for securing your WordPress is posted at http://www.lpwebhosting.com/blog/bulletproofing-your-wordpress-site-against-a-brute-force-attack.
This particular attack is focused on WordPress users. It’s important to note that the attacks could just as easily be focused on any application. The reports are not limited to our network. Reports from all of the major hosting companies confirm that this is a wide spread situation.
Please feel free to contact us with any concerns or issues you might have.
Lunarpages Administration Team
I’m going to do a little reading about what’s happening and will update this if I find anything that might be useful to anyone.
Update: My reading was pretty quick and cursory, so anyone with more information please add it in the comments.
First – for those of you who are WordPress.com users and have your blog hosted by WordPress, as this one is, there’s not much for you to do.
For those of you who don’t know what a botnet is, it’s a group of computers used in concert to perform a single task. There are legitimate uses for botnets, but what we’re concerned about here is illegal botnets.
It seems that a group of computers is searching for sites that have WordPress software installed. This is different from, but similar to, the WordPress.com site that I’m using right now. A person or company maintaining its own site can install WordPress software. WordPress is the most common blogging software (I think) and is installed on a large number of computers that serve up webpages, or web servers.
Computers are searching for sites that have WordPress installed. They attempt to login as the administrator by trying common passwords. Here is a list. (Yes, Sis, Pa$$word is a really, really bad password.) One they have access to the administrator account, a “backdoor” is installed. The backdoor is a bit of software that will allow them access to the account at a future date.
Right now, they don’t know how this backdoor will be used. The speculation is that the servers will be used for a more serious attack against an unknown target in the future, like the one against major financial institutions in 2012. Servers with WordPress installed are appealing targets, not because there’s any problem with the WordPress software itself, but because it’s widespread and popular and servers have access to wide bandwidth.
The two main sources I looked at were:
This is mainly a concern for people maintaining their own sites. However, it’s a generally good idea to have strong passwords and to change them regularly.
A week or two ago, WordPress added an extra layer of security for its users.
Also, Matt Mullenweg put up a post addressing the subject.