A group of hackers have attacked 90,000 smaller WordPress blogs using a simple brute force method. We all know the importance of having secure passwords, but one thing we all too often forget is usernames. The default “admin” username and some common passwords allowed hackers to jump in and get access to all these blogs with minimal effort involved.
The attacks have been ongoing for about a week, and the number of blogs targeted is quite substantial. It’s possible that some of the attacked blogs were started and just never used, but it seems probable that a good number of them are actual blogs where the owner just did not think to change the default username.
The program used by the hackers would simply cycle through 1000 commonly used passwords with the default WordPress username. Obviously, if you are a savvy blog owner, you’re going to be just fine, but based on the number of successful attacks, it appears there were more than enough easy targets out there for the group of hackers to take.
Once the attack compromises the system, it drafts the blog into a botnet, which is a group of machines that communicate with each other and are capable of wide-spread attacks. The compromised blogs themselves are not all that useful to the attackers, but the actual target could be the servers on which they are housed.
At this point, we are not sure what the ultimate goal of the botnet is. 90,000 compromised machines could certainly be useful in denial-of-service (DDoS) attacks, but only time will tell what comes of this.
If you’re still using “admin” as your username on WordPress, you should change it immediately. Come up with a more secure username, a secure password, and use two-step authentication to keep your blog as safe as possible.
Did your WordPress blog get attacked?