There is currently a significant attack being launched at a large number
of WordPress blogs across the Internet. The attacker is brute force
attacking the WordPress administrative portals, using the username
“admin” and trying thousands of passwords. It appears a botnet is being
used to launch the attack and more than tens of thousands of unique IP
addresses have been recorded attempting to hack WordPress installs.
One of the concerns of an attack like this is that the attacker is using
a relatively weak botnet of home PCs in order to build a much larger
botnet of beefy servers in preparation for a future attack. These larger
machines can cause much more damage in DDoS attacks because the servers
have large network connections and are capable of generating significant
amounts of traffic. This is a similar tactic that was used to build the
so-called itsoknoproblembro/Brobot botnet
which, in the Fall of 2012, was behind the large attacks on US financial
Patching the Internet
We just pushed a rule out through CloudFlare’s WAF that detects the
signature of the attack and stops it. Rather than limiting this to only
paying customers, CloudFlare is rolling it out the fix to all our
customers automatically, including customers on our free plan. If you
are a WordPress user and you are using CloudFlare, you are now protected
from this latest brute force attack.
Because CloudFlare sits in front of a significant portion of web
requests we have the opportunity to, literally, patch Internet
vulnerabilities in realtime. We will be providing information about the
attack back to partners who are interested in hardening their internal
defenses for customers who are not yet on CloudFlare.
If you are running a WordPress blog and want to ensure you are protected
from this attack, you can sign up for CloudFlare’s free
plan and the protection is
automatic. We’ll continue to monitor the details of the attack and
publish details about what we learn.