WordPress Global Brute Force Wp-Admin

This morning when open my e-mail, I got important news from my hosting provider that nowadays there’s WordPress Global Brute Force Wp-Admin. I try to googling it for a while and I found that this attack is started from last week (around April 6, 2013).

When got this e-mail I just think “hmmm maybe this is the reason why last week my server was absolutely very slow when I try to access it”, maybe because of this WordPress Global Brute Force Wp-Admin.

Security experts are warning that an escalating series of online attacks designed to break into poorly-secured WordPress blogs is fueling the growth of an unusually powerful botnet currently made up of more than 90,000 Web servers.

Gaffan from Incapsula says:

“It’s hurting the service providers the most, not just with incoming traffic,” Gaffan said. “But as soon as those servers get hacked, they are now bombarding other servers with attack traffic. We’re talking about Web servers, not home PCs. PCs maybe connected to the Internet with a 10 megabit or 20 megabit line, but the best hosting providers have essentially unlimited Internet bandwidth. We think they’re building an army of zombies, big servers to bombard other targets for a bigger cause down the road.”

Here’s the report about WordPress Global Brute Force Wp-Admin from Hostgator:

As I type these words, there is an on-going and highly-distributed, global attack on WordPress installations across virtually every web host in existence.  This attack is well organized and again very, very distributed; we have seen over 90,000 IP addresses involved in this attack.

At this moment, we highly recommend you log into any WordPress installation you have and change the password to something that meets the security requirements specified on the WordPress website.  These requirements are fairly typical of a secure password: upper and lowercase letters, at least eight characters long, and including “special” characters (^%$#&@*).

You have now changed your WordPress password, correct?  Good.

The main force of this attack began last week, then slightly died off, before picking back up again yesterday morning.  No one knows when it will end.  The symptoms of this attack are a very slow backend on your WordPress site, or an inability to log in.  In some instances your site could even intermittently go down for short periods.

We are taking several steps to mitigate this attack throughout our server farm, but in the same breath it is true that in cases like this there is only so much that can actually be done.  The servers most likely to experience service interruptions will be VPS and Dedicated servers hosting high numbers of WordPress installations, due to the incredibly high load this attack has been seen to cause.

If you are hosted on a VPS or Dedicated server and you would like for us to take a more severe, heavy-handed approach to mitigate this attack, we can do this via means such as password-protecting (via .htaccess) all wp-login.php files on the server.  If you would like our assistance with this, please contact us via normal support channels.

Again, this is a global issue affecting all web hosts.  Any further information we could provide at this moment would be purely speculation.  Our hope is that this attack ends soon, but it is a reminder that we must all take account security very seriously.

We will update this blog post when we have further information.

I think maybe this is the reason if last week (and nowadays) you cannot log in to your wordpress.

There are several ways to mitigate this WordPress Global Brute Force Wp-Admin, such as this tutorial that already made by hostgator team.

If you haven’t applied the security enhancement for your wordpress website/blog, it’s better to start it right now because the wordpress team also haven’t release the update because of this case 🙂

Here is simple step by step from me to protect your wordpress from WordPress Global Brute Force Admin:

1. If your password wasn’t long and complex enough, it’s good if you change it for more complex combination. Adding some special characters such as @#*$&%^! is a good idea.

2. Remove the “Drop” privileges on your MySQL user.

3. Install wordpress plugin to tighten your WP engine, such as WP security scan, WP firewall 2, TimThumb vulnerability scanner, Exploit Scanner, SI Captcha.

Another method to mitigate WordPress Global Brute Force Wp-Admin you can use Htaccess Password protect:

1. Generate the password file here: http://www.htaccesstools.com/htpasswd-generator/ and save in your wordpress folder as .wpadmin.

2. Insert this code in your .htaccess file.

ErrorDocument 401 "Unauthorized Access"
ErrorDocument 403 "Forbidden"
<FilesMatch "wp-login.php">
AuthName "Authorized Only"
AuthType Basic
AuthUserFile /home/username/.wpadmin
require valid-user
</FilesMatch>

change /home/username/.wpadmin to your folder structure.

hope you found it useful 🙂

Share this article if you found it was useful: