WordPress attack highlights 30 million targets

The recent botnet attack on websites running WordPress hasn't had much impact — yet. But with millions of vulnerable sites and a knowledge gap at the low end of the market, things could get much, much worse.
Written by Stilgherrian , Contributor

It'd be easy to dismiss the recent reports of a botnet attack on sites running the WordPress content management system (CMS) as yet another cry-wolf scare story from an exaggeration-prone web hosting company eager for business. After all, one of the earliest posts about the attack was from CloudFlare, and they've got form.

Less than a month ago, CloudFlare chief executive officer Matthew Prince spun the distributed denial of service (DDoS) attack against Spamhaus into "The DDoS that almost broke the internet", and he shamelessly told The New York Times that "These things are essentially like nuclear bombs ... It's so easy to cause so much damage."

An extreme cynic might even note that this botnet, claimed to be 90,000 computers strong, is conducting brute-force password-guessing against WordPress sites around the planet just days after WordPress.com announced two-factor authentication for sites hosted on its own infrastructure — just the thing to mitigate against that risk. I couldn't possibly comment.

But despite the lack of vaporised cities and radioactive fallout, or even any serious impact so far, these WordPress attacks have the potential to get a lot worse — thanks to the very factors that make WordPress such a popular CMS.

WordPress' big selling point is ease of use. That means it has massive appeal right at the bottom end of the market.

Down at this level, even in 2013, websites are usually little more than static brochureware that gets updated rarely, if at all. With nothing to change, the sites' owners don't log into WordPress, so they don't see the software upgrade notices. Or if they do, they don't know what they mean.

This is where businesses are reluctant to spend even a thousand dollars on a site, so asking them to fork over more money for "maintenance" is a waste of time — what visible difference does it make?

Besides, they'll say, they have someone who "takes care of" their website.

That someone is generally a "web designer", not a developer. WordPress has been a boon for them. Its multitudinous free or cheap themes and plugins make it possible to build a decent website with plenty of functionality without having to dirty their hands with actual code. Or dirty their minds understanding it.

Forgive me, for I'm about to commit the sin of extrapolating from personal experience, but in nearly two decades, I have yet to encounter a "web designer" with halfway-decent security practices — by which I mean creating a different login for every human rather than a generic "admin" account, creating strong passwords, not reusing passwords, deleting unused accounts, and not blithely emailing a business' master internet hosting password to any sub-contractor who might need momentary access.

Indeed, many of those I've encountered have deliberately set the WordPress admin password (or its equivalent in pre-WordPress days) to be exactly the same as their client's hosting account master password, their domain registry password, the login on their PC, and everything else in sight to "make it easier" — because that gets rid of those annoying "I've lost my password" support calls.

WordPress is now the tool of choice for these people, and they've built millions of WordPress websites.

But have they maintained them? No.

As I write this, the WordPress download counter tells me that 17,594,130 people have downloaded the current WordPress version 3.5 and, erm, counting. But over at the statistics page, a rather alarming pie chart tells us that version 3.5 accounts for only 30.5 percent of running WordPress installations.

More than two-thirds of WordPress installations are running versions with known security vulnerabilities? A password-guessing botnet would be the least of our worries.

While CloudFlare was talking up this attack, Sucuri Security was talking it down. They were seeing "only" around three times the number of password-guessing attempts they usually see.

Could it be just a trial, or the calm before a much bigger storm? My impression is that WordPress sites are usually hacked as part of black-hat search engine optimisation (SEO) operations, posting links to their masters' websites for the extra Googlejuice, with no attempt to compromise the hosting account or the server it runs on.

Yet most low-end WordPress sites run on servers with plenty of spare capacity. "Apparently, someone is building a formidable botnet of compromised WordPress accounts that is likely to be used in a much larger attack," said a relatively sober post at Threatpost, though they add one proviso: "Some experts are speculating."

Speculating they are. And I am. But there's maybe 30 million WordPress sites there for the taking, and that's a lot of firepower.

Editorial standards