The WordPress Brute Force Attack and Lightning Base
There is a lot of discussion around the internet about an ongoing brute force attack targeting WordPress powered sites. We’ve started to get support requests from customers asking about this, so I’m going to take a look here at what is happening, what you can do, and what Lightning Base is doing about it.
What is a Happening?
WordPress sites of all kinds are seeing large amounts of traffic trying to login at wp-login.php. This is what we refer to as a brute-force attack – rather than using some fancy trick to compromise your site, a hacker is just going at it with a giant list of passwords and hoping to find one that works.
The attack uses thousands of IP’s and is almost certainly the product of a botnet, most likely of compromised desktop machines. By using a large network it is harder to block the attack (we can’t just mark a few IP’s in the firewall) and the attacker has the ability to do a tremendous amount of volume.
It appears that sites are being targeted largely at random. There are a variety of ways that the Internet can be scanned for WordPress installations, and I would guess the attack is using a system to automatically scan for WP installations, and then roll through each URL to attempt a compromise. More popular sites seem to more frequently be targets, which could be intentional, or might just be a byproduct of how the sites are being found.
One of the primary ways the attack was noticed was that some hosts started seeing downtime due to high load. When the attack starts hammering away hard enough at a site, servers without enough excess capacity get bogged down or possibly even inaccessible. Lightning Base has not seen any occurrence of downtime related to this attack, which is likely due to the headroom on our servers and pre-existing brute force protection.
The Lightning Base Response
Brute force attacks against WP are nothing new – Lightning Base has always had some basic protection against these kinds of exploits. The attacks have historically been much more limited than we are seeing now however.
In order to provide further protection, we have tweaked our brute force rules to be considerably more aggressive. This may result in a legitimate user being blocked from logging in to a site. These blocks are temporary – I would suggest trying to avoid them by typing your password carefully and not visiting the wp-login.php page excessively. If you do get blocked, come back an hour out so later, and contact support if you still can’t get in.
Also, just to note, if an IP is blocked from one site, it will be blocked from logging in to all sites on that server. For those of you with multiple sites, you will be at higher risk of accidentally being blocked if you are rapidly logging in to multiple sites. This is helpful, however, as it provides substantially better protection.
We will continue tweaking our rules as we learn more about the attack.
The Reality of a Brute Force (Strong Passwords Win)
The interesting thing about a brute force attack like this is that it should not work. If you use a password that is over 8 characters and includes upper/lower case letters, numbers, and symbols, the number of possible combinations rises into the quadrillions. To have even an off-chance of getting it right, trillions of guesses would be required.
Our servers might be fast, but they aren’t fast enough to allow trillions of guesses, even if we wanted them to (and remember, that would only make for a slim chance of getting in) . Add in the protections we have put in place, and it would be unlikely to see more than a few thousand guesses, even with many IP’s.
The problem is that many users use terrible passwords. The attack is almost certainly not guessing completely random combinations – it most likely uses words, acronyms, or other more common strings, combined with some numbers or symbols perhaps. This can rapidly knock down the number of guesses required to the thousands, which gives them a real shot if users have not used random passwords.
Morale of the story: A few letters or a word combined with a number is not secure at all. A random combination of characters is incredibly secure.
What You Can Do
In order to avoid being compromised by a brute force attack, the first thing you should do is make sure you have a strong password. To do this, login to your WordPress dashboard, then in the menu click Users -> Your Profile. Near the bottom of the page there is a password change box, which includes a handy password strength indicator. Make sure you choose a password that maxes out that bar.
That should make you very safe. Add in our brute force protection and you probably have nothing to worry about.
There are also a large number of plugins dealing with security. You are free to run most any of these on our system. I don’t believe any are necessary, however, given what we have seen.
And just to reiterate: use a strong password.
If you have any questions about what is going on, or particular concerns about your site, please open a support ticket (https://secure.lightningbase.com/submitticket.php) and we will be happy to help out.