WordPress hit by massive botnet: Worse to come, experts warn

WordPress hit by massive botnet: Worse to come, experts warn

Summary: A massive botnet of tens of thousands of machines is attempting to hack in to weak password protected "admin" accounts of the popular blogging platform.

TOPICS: Security

Blogging and website platform WordPress has been hit by a massive botnet of tens of thousands of computers, but it could be just the surface of a wider, larger attack.

Screen Shot 2013-04-15 at 11.10.10
WordPress.com home page. (Image: Screenshot by Zack Whittaker/ZDNet)

The performance and security firm CloudFare warned in a blog post today that the unknown attacker is using a "relatively weak botnet of home PCs in order to build a much larger botnet of beefy servers in preparation for a future attack," suggesting a calm before a heavier storm.

The botnet is attempting to "brute force" attack WordPress websites using the username "admin", with thousands of different passwords. The botnet of machines — often individual machines infected with malware and subscribed to target servers and websites with vast amounts of data — is being used to hack web-based WordPress installations.

This botnet channels some bandwidth from individual computers infected with malware, which in mass and collectively can cause the overloading of servers. Typically, this kind of attack is either used by willing participants to cause a distributed denial-of-service (DDoS) attack against websites to force them offline, or by "slave" computers that can be used to carry out hacking attempts.

It comes only a week after WordPress enhanced user security by rolling out an optional two-factor authentication system.

WordPress founder Matt Mullenwag criticized those who were offering "solutions" to the problem, such as CloudFare, and instead suggested changing default usernames as an additional step to protect their WordPress accounts.

"If you still use 'admin' as a username on your blog, change it, use a strong password, if you're on WordPress.com turn on two-factor authentication, and of course make sure you’re up-to-date on the latest version of WordPress," he said.

"Do this and you’ll be ahead of 99 percent of sites out there and probably never have a problem."

WordPress remains a large target for hackers, which has around 64 million individual blogs and websites, with more than 370 million readers each month. Alexa ranks the blogging network as the 21 most visited site in the world.

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • and it's happening to Wells Fargo too . . .

    . . . you'd think that businesses that have millions, if not billions of dollars at stake would take proactive steps to reduce the severity of disruptions from outside attacks. Maybe a little black helicopter stuff raining down on the perps in the middle of the night . . .?
  • It makes you wonder..

    ..who is really running this botnet? It could be a front for our own government.
    • LOL

      You just never know for sure. ;)
    • ADS

      Botnets are run by people who like making money off of ad clicks mostly. I know the last Attack the user(s) made a few million in a week.
      'Chameleon Botnet' takes $6-million-a-month in ad money
  • WordPress hit by massive botnet:

    On this issue I am going to agree with WordPress founder Matt Mullenwag. The notice from Cloudfare is hardly a fix for the problem.It only deals with their customer base of paid and free users.
    Generic usernames are put in place for convenience. They are never intended to be left as default. If you have a website then you owe it to those that surf your site that it is a secure place to visit.If you build a house and do not put locks in place someone will eventually enter your home .
    WordPress is a very vibrant blogging and website platform that offers a number of security plug-ins and fixes to these types of issues. It is well maintained and updated frequently and highly recommended by me.No software is impervious to attacks.
    Ken Chandler
    Ken Chandler
  • This discussion is kinda nonsensical ...

    Besides writing about this yesterday ( http://answerguy.com/2013/04/15/hacking-wordpress-cms-content-management-security/ ), we happened to do a video on this subject just last week: http://answerguy.com/videopost/you-cant-build-a-web-site-in-one-hour-admin-security/ .

    It's a real issue, but the truth is that it takes very, VERY little to protect against this kind of thing.
  • Cannot change admin account username

    In the article, Matt Mullenwag advises to change the admin username - we always change defaults like this - but Wordpress does not *allow* you to change it. How could WordPress's own founder not know this??
    • "Change" admin account username is actually a create / delete process

      It's terribly worded how he put it.

      The procedure is to actually delete the Admin account.
      1. Log in as admin
      2. Create another user, preferably with a hard to guess username
      3. Assign that user Administrative privileges
      4. Log out of admin, log in as the user you just created
      5. Delete the Admin user
      6. Assign posts, etc the new user, or another user.
      7. Extra Credit: Create another user, same guidelines as above, but with editor permissions.
      8. Log in as the non-administrative user when doing anything other than admin work. You don't need to be admin to blog about your cat/dog/food project/latest quilt
      storm's eye
    • Change In pHpMyAdmin

      You can change manually in user table of database also.
  • Changing Usernames Is A Waste Of Time

    You should be relying on the security of your passwords, not the usernames. If someone finds out your username, how easy is it to change? Not very. So don't bother relying on it being a secret! (Kirkhoffs' Principle)
  • The cause is people issue, not technical

    If the user put a little bit of effort to change the password, there is (almost) no way any hacker or brute force attack that could have infiltrated the system. Security should not be an after-thought, it should be a before-thought.
    Selvakumar Manickam