Your website based on Wordpress has slowed down? Brute-force attacks a probable cause

When the website becomes almost inaccessible, we immediately suspect performance problems - some problems with the hosting, VPS server or dedicated server. Regardless of the reason, nobody gains it - we lose readers or clients, and the administrators have a considerable problem. The former can not get to the searched resources, while editors or managers can not enter the administration panel. So if recently your webpage based on CMS Wordpress has slowed down or other performance problems have occurred, or even error code 503, but you have ruled out the decline of SLA through the fault of the server provider, you could probably have been a victim of brute-force attacks on a very large scale.

Wordfance, which offers security for Internet applications, identified an attack that began on December 18 at 4 am CEST. The attackers, having at their disposal a substantial botnet consisting of over 10,000 unique IP addresses, generated a huge number of attempts to guess passwords. Wordfance researchers who describe the incident say that "this is the most aggressive campaign they've ever seen." During the observations at the climax point, the attackers were able to attack simultaneously 190,000 websites powered by Wordpress, sending requests to log in to administration panels from over 10,000 unique IP addresses.

Researchers suspect that someone who used a database containing 1.4 billion pairs of password logons - a meringue found at the beginning of December in the Tor network - was behind the attacks. And it contained relatively "fresh" credentials that could give quite a good performance of matching credentials to attacked websites. Each such login attempt uses server resources. Performing hundreds or thousands of such tests in a short time can use all available power, and even increase the fees, if we are responsible for the used computing power.

Unfortunately, that's not all. After logging in to the panel, the malicious script installs the JavaScript code in the files of the page, which ... copies of the Monero cryptocurrency . Thus, the attackers work against the portal twice - once that they have access to a poorly secured admin panel, and two that the administrator may not even know that his site has been hacked and as a result became an intermediary in mining the Monero. Experts who have detected the attack estimate that the attackers could earn up to $ 100,000 on this "one-time" freak.

How to secure your Wordpress?

First of all, it's worth installing a plugin that limits logging in after N-unsuccessful attempts. We use such a solution in Drupal ourselves and it works perfectly. But this is just a basic step that needs to be done after installing the page on the server:

  • make sure you use a difficult administrator password;
  • change the default login from "admin" to something more difficult;
  • delete unused accounts;
  • enable two-factor authentication, e.g. using Yubikey keys ;

An additional difficulty for the attackers will be to hide the page behind the CDN service, e.g. Cloudflare, through which we gain additional security in the form of:

  • hide e-mail addresses before extracting them by robots;
  • securing forms on websites against spam bots;
  • an application firewall (web application firewall) that protects against attacks that exploit known vulnerabilities;
  • protection against DDoS attacks;
  • secure the site from becoming a source of spam or malware and thus blacklisting dangerous sites;

Those interested in WAFs are referred to Gartner , who prepared a comparison of the most popular providers of these services.

Learn more about our offer

If you sell security solutions, are a distributor, authorized partner or developer and would like to share your portfolio with a group of potential customers, advertise an event, software, hardware or other services on AVLab - simply write to us. Or maybe you had to deal with ransomware? We can also help you decrypt your files.
Read more

We use Google Cloud Translation and Gengo API’s to translate articles with exception of our comparative tests.