Brute Force Attack affecting global Wordpress Installations
by Stephen K from BWF Hosting
This message is of high importance - please read it all especially the part at the bottom about passwords
What is a Brute Force Attack?
These links will explain what a Brute Force attack is
http://www.techopedia.com/definition/18091/brute-force-attack
http://searchsecurity.techtarget.com/definition/brute-force-cracking
What issues did we handle last night?
I was not working last night and Giles our Senior Support Admin was handling these issues. This information is what I have gleaned from an email from him.
Last night around 9pm we were alerted to the fact VPS8 Node was overloaded. VPS8 is an OpenVZ Node so each virtual server gets equal share of the CPU. One VPS Server belonging to a client with 100+ Wordpress installs on it was causing the server load to spiral out of control.
We worked to bring this under control and bring the server up on line for other clients. We also installed a number of products to help mitigate this attack but we are still working on this. The client affected has all his websites loading but we had to temporarily block access to all wp-login.php files to prevent the server from becoming overloaded. This in itself proves this overload was caused by the Wordpress Brute Force Attack.
The reason this attack is unique is it involves thousands of different IP ranges so it is not a simple matter of blocking a specific range of IPs. This looks to us like a very well organised attack and very distributed
Here is the current VPS Server load and it is very normal and you can see the load spikes have stopped:
top - 07:29:56 up 5:28, 2 users, load average: 2.62, 2.77, 3.00
Why is this different from any other DDOS attack?
Now a DDOS attack directed against one server is not global headline news - we handle it and we move on. This is different and this is why this message is today marked as high importance.
What Other Webhosts are affected?
It appears all web hosts worldwide are feeling the effects of this. A few links are below just from Google/Twitter
http://www.hostdime.com/blog/2013/04/brute-force-attack-affecting-global-wordpress-installations/
http://forums.site5.com/showthread.php?p=191613
http://blog.hostgator.com/2013/04/11/global-wordpress-brute-force-flood/
https://www.facebook.com/permalink.php?story_fbid=494405660626327&id=246634765403419
What can I do to protect myself?
Please know our data centre are fully aware of this issue and they are actively blocking the most offending IPs from their entire network. Please know though this attack is highly distributed which means the range of IPs are huge so they or us will not be able to block all IPs - this is why your security and choosing a secure password is SO IMPORTANT.
Your main line of defense here (if your server is stable and not going down) is to ensure your Wordpress Password is ridiculously secure. rfp5464 is NOT a secure password! Any dictionary word in any shape or form (even with letters replaced with numbers etc) is even less secure. It is also recommended your user name is not admin as this is default.
Here is a link to a secure password generator:
http://www.pctools.com/guides/password/
