Security vendor Wordfence has published a blog blaming Ukrainian hackers for the problems many WordPress users are suffering this month. Starting on November 24th, Wordfence saw a significant rise in brute force attacks against WordPress sites. These attacks are designed to guess username and passwords in order to sign into WordPress websites. UK-based hosting company Astutium have reportedly seen some of those attacks against WordPress installations that no longer exist. This suggests that the hackers are using an old list of WordPress sites.
Attacks more than doubled over last three weeks
Brute force attacks are nothing new and require little hacking skills other than access to the Internet. The majority are aimed at the default Admin account and try large dictionary attacks to find the password. Some target individual user accounts and are often reuse stolen credentials located on the Internet.
In mid October Wordfence were seeing around 7 million attacks per day spread across 350,000 WordPress sites. By the end of November the number of attacks peaked at over 23 million which were targeting 700,000 WordPress site. While the total number of attacks has since fallen back to just over 16 million the number of sites being attacked shows little sign of falling away. This suggests that WordPress owners can expect to see a sustained set of attacks, at least for the time being.
An increase in the number of unique IP addresses
This increase in attacks has also seen an increase in the number of unique IP addresses being used. It has risen from around 7,500 in mid October to over 31,000 by mid December. This rise in attacks is likely to be as a result of sites being compromised and then used to launch more attacks. This is a double hit for compromised sites. Not only are they under attack but if they are then being used to launch more attacks they could be taken offline by their hosting provider.
Wordfence says that the vast majority of the attacks originate from just 8 IP address inside Ukraine. All of them belong to a hosting company called Pp Sks-lugan. They are launching up to 250,000 login attempts per day.
The rise in attacks over the last few weeks also comes at a time when Ukraine is under fire for facilitating rather than preventing cyber attacks. A Ukraine-based cyber group was the target of Operation Avalanche. It was the culmination of years of work by Interpol and multiple countries. Unfortunately the ring leader was released by a Ukrainian court who ruled they could not be extradited. Security researchers believe that he will quickly establish a replacement network using many of the machines previously infected. It could be that the increase in attacks over the last few weeks is part of that process.
Who is under attack?
Anyone with a WordPress account. The list of ISPs who are suffering the most shows that the majority of attacks are against the big players. This is no surprise as they host large numbers of WordPress sites and have no control over the way customers run them.
This raises an important question. Should ISPs contact customers who are being attacked and provide them with some basic security advice? Astutium, a London-based ISP has already informed some customers that they are under attack and recommended they check security settings. Other ISPs such as GoDaddy have made no such attempt to contact their customers. They are not alone.
One of the biggest hosting companies in the US is Endurance International Group (EIG). They own BlueDomino, HostGator, HyperMart and over 70 other hosting companies and have failed to warn customers of these attacks. This is one area where the industry needs to not only do better but also co-ordinate its security advice.
What can you do?
WordPress has issued advice to customers on how to protect WordPress sites from brute force attacks. It is all about good basic security hygiene. Don’t use the Admin account. Use strong passwords. Change passwords regularly. Password protect key files.
User can also install plug-ins from a number of companies to protect against attacks.
Conclusion
The recent rise in unsophisticated brute force attacks on WordPress sites shows no sign of abating. While users have to take responsibility for securing their own sites, ISPs also need to do more. They should be warning customers of attacks and recommending how to solve them. They also need to be more responsive in blocking IP addresses from which the attacks are coming.
