During the past week we noticed an abnormal increase of brute force attacks targeting WordPress applications. The attacks use automated scripts that attempt to login to WordPress default admin page using common usernames and passwords.
The brute force attacks originate from a large number of sources consisting of both legitimate web servers and private home computers. Several reports have been published which have positively identified almost 90,000 attacking sources.
Once a username and password is successfully guessed by the attacking script, it uses the gained admin credentials to upload a malicious script to the compromised server.
While many of the brute force attempts were unsuccessful in guessing the admin credentials, the high volume of the attacks has caused excessive resource utilization to the servers hosting the WordPress applications, resulting in unresponsiveness to legitimate users for the duration of the attack.
Mitigation Recommendation
In order to mitigate the attack, WordPress servers are encouraged to use the following preventive measures:
- Enable WordPress ‘Two Step Authentication’.
- Harden security of WordPress configurations.
- Choose a complex and non-common password, since the attacks use common wordlists to perform the brute force
Radware DefensePro can use JavaScript Web Challenges to mitigate the attack. This method has been proven to be successful in dropping the automated brute force tools while allowing legitimate JavaScript compliant clients to access the site. (Note that it is important to verify that legitimate clients support JavaScript in order to prevent false positives).
Radware AppWall can block these brute force attacks by detecting multiple unsuccessful login attempts to the WordPress login page originating from the same source in a short time period. The malicious sources can then be suspended or blocked for configurable timeframes.
Additionally, in scenarios where shared IP`s are used (i.e proxy servers), a Throttling policy can also be applied in order to allow legitimate users to access the login page while effectively blocking malicious requests originating from that same IP address.