Content, Breach

Report: Massive Brute Force Attack Targets WordPress Sites

Mark Maunder

A “massive distributed brute force attack” has hit WordPress sites using a high volume of IPs with each one generating a large number of attacks that crested at 14.1 million an hour, according to a Wordfence blog.

The attacks involved more than 10,000 IPs with 190,000 WordPress sites targeted per hour, the blog said earlier this week. In an hour’s time, the number of attacks nearly tripled.

“This is the most aggressive campaign we have seen to date,” Mark Maunder, Wordfence founder and CEO, said in the post. (Note: Wordfence is a security plugin for WordPress). “The attack campaign was so severe that we had to scale up our logging infrastructure to cope with the volume when it kicked off, which makes it clear that this is the highest volume attack that we have seen in Wordfence history, since 2012.”

Wordfence usually sees an average of around 13,000 unique IP’s attacking each day but as the attacks increased in intensity, it was seeing some 30,000 unique attacking IPs, well above its baseline, Maunder said. The trend began in late November and continued through mid-December.

Brute Force Password Guessing Attacks Explained

Brute force attacks are just that: Simple password guessing assaults in which a machine automatically tries repeatedly to sign onto a website. Earlier this month, a database containing 1.4 billion hacked credentials (username/password pairs) emerged, said Maunder. About 14 percent of the database, which is searchable and easy to use, apparently includes unfamiliar credentials.

While brute force attacks targeting WordPress typically haven’t worked very well, the new database offered “fresh credentials” when if matched with a WordPress username, can bump up the success rate for attackers hitting sites, he said.

In a follow up blog post, Maunder blamed a single botnet for the attacks. “We believe that a single botnet is behind the attacks,” he said. “We were able to isolate the IP addresses from the botnet and then compare them to the IPs from our most recent site cleaning orders. As luck would have it, we got a couple of hits.”

Multiple Launch Zones

In the middle of the attack, Wordfence discovered that of the 20 countries launching brute force attacks worldwide, Ukraine is the “main culprit,” generating more than 15 percent of all attacks. “That is a lot when you consider that the population of Ukraine is only 45 million people,” Maunder said. Most of the attacks came from eight IP addresses in Ukraine, all belonging to the same organization and on the same network he said.

“These IPs are using brute force attacks exclusively. They don’t launch any sophisticated attacks. They are hammering away at WordPress sites at a rate of over a quarter million login attempts each, in some cases, during a 24 hour period. When we add up attacks during the past 24 hours and group by the organization that owns the attacking IP address, you can really see the impact that the Ukrainian host is having.”

D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.