Although we haven’t seen any major reporting on it yet, as of 2017 our servers have detected a massive botnet attacking WordPress installations in an attempt to exploit weak passwords. Our typical firewall rules are configured to allow at most 15 login attempts prior to immediately blocking the IP at the network level. This works to prevent most bruteforce attacks, but not this one!
The botnet is large enough, meaning with enough unique servers with their own IP addresses, that it’s configured to only attack a single site with the same IP three times before moving on to another IP in its massive database.
To combat this, we’ve identified a common signature used by members of the botnet. Their user agent is identified as an older version of Firefox (40.1) running on Windows 7 (NT 6.1). We used this as a base and wrote our own in-house custom firewall rules that both detect and block this botnet via three separate mechanisms, depending on the server:
- LFD (part of the CSF firewall solution)
- Mod Security
As a result of these new mechanisms, our firewalls have reported over 1,600 new IP blocks in the past 3 days, with more rolling in as I type.
During the attacks and blocks our servers have handled everything smoothly. If you’re one of our clients, no need to worry, we’ve already applied these new detection systems to your server.
It’s always recommended to:
- Ensure you’re using strong passwords for all your WordPress users. We recommend a minimum password length of 30 characters and randomly generated, then store it in a password manager like LastPass.
- Make sure you keep your WordPress installations and all plugins and themes updated. Even if you think an update might break your site, a broken site from an update issue is simpler to repair than repairing a hacked WordPress site!