A MASSIVE distributed brute force attack campaign aimed only at WordPress sites started THIS MORNING at 3 AM UTC (Coordinated Universal Time), (3 AM United Kingdom, England; 4 AM Germany; 5 AM Romania). It uses a large number of attacking IPs, and each IP is generating a huge number of attacks. This is the most aggressive campaign ever reported, peaking at over 14 million attacks per hour. This brute force attack CONTINUES to ramp up in volume during the past hour as we publish this post.
What we know at this time:
- Peak point of the attack: 14.1 million per hour.
- IPs involved: 10,000+.
- Individual WordPress targeted: 190,000 per hour.
- This is the most aggressive campaign by hourly attack volume.
A possible explanation
This new massively increasing brute force attack can be the testing of the credential pairs (username+password) dumped on Dark Web on DEC 5, a few days ago, in an underground community forum. The database was recently updated with the last set of data inserted on 11/29/2017. The total amount of credentials (usernames/clear text password pairs) is 1,400,553,869.
- Install a firewall to block brute force attacks. Immediately!
- Reset your administrator password.
- Don't use the default ‘admin’ name for your administrator account!
- Delete ALL unused accounts. Especially admin accounts! This reduces your attack surface.
- Enable two-factor authentication on all admin accounts.
- Enforce strong passwords for all user accounts.
- Monitor successfull logins for ALL administrator accounts on your website.
- Do not reuse a password on multiple services!
Spread the Word among the WordPress community to create awareness of this new threat. Share this post on ALL your social media channels (use the links from the bottom bar); warn your friends and relatives.