Distributed WordPress Password Guessing
One of The Internet Storm Center readers recently discovered a malicious WordPress hacking script.
The script is nothing more then a password guessing tool. However, what makes it unique — as pointed out by ISC, is the fact that it uses a MySQL database backend to store password attempts. This means the script could be executed with multiple processes and on multiple systems in a distributed manner.
It may be obvious to point out but the script uses the default “admin” username to perform these brute force attacks. Also, obvious as it may be, WordPress is by no means the only platform affected by this type of attack.
BlogSec recommended some time ago that the default username be changed to something else. We also recommended that you restrict access to “wp-admin” and “wp-login.php”. See the WordPress Security Whitepaper for more information — and yes, we really need to do a lot more work on the document.
Going forward, it would be great to WordPress require the user to select an admin username during install. Also, being able to change usernames within the admin panel may also be handy — Its been a readonly field as far back as I can remember.
Random Posts
If you enjoyed this post, please leave a comment or subscribe to the feed and get future articles delivered to your feed reader.
Comments
I had no idea about this script although I figured that it was a matter of time before someone did it.
Great advice!
Another useful core WordPress feature would be email notification if someone gets the admin password wrongt too many times: say, more than three or more than five.
I am astonished by the ways and means hackers have to achieve their mischievous goals. It is a constant battle to stay ahead of the challenge. We should keep in mind the Internet is a warzone against fraudulent acts in whichever way – always be alert.
Remember to BACKUP regularly!
Cheers
Sorry but there is nothing new or special at this kind of attack …
I mean Distributed Brute Force Attacks are an old technology and done on several other layers all the time (i.e. on rainbow tables generation or ssh distributed bfa attacks)
[...] use strong password to harden the security of website. Article from blogsecurity.net is describing the unique script which is used by hackers to guess the password. Our recommendation [...]
[...] Password:- Always use strong password to harden the security of website. Article from blogsecurity.net is describing the unique script which is used by hackers to guess the password. Our recommendation [...]
[...] use strong password to harden the security of website. Article from blogsecurity.net is describing the unique script which is used by hackers to guess the password. Our recommendation [...]
[...] use strong password to harden the security of website. Article from blogsecurity.net is describing the unique script which is used by hackers to guess the password. Our recommendation [...]
[...] use strong password to harden the security of website. Article from blogsecurity.net is describing the unique script which is used by hackers to guess the password. Our recommendation [...]
it seems blogs as targets would be the next big thing, just my prediction. here’s my blog btw (free basic to advanced hacking tutorials.
pinoysecurity.blogspot.com
[...] use strong password to harden the security of website. Article from blogsecurity.net is describing the unique script which is used by hackers to guess the password. Our recommendation [...]
[...] use strong password to harden the security of website. Article from blogsecurity.net is describing the unique script which is used by hackers to guess the password. Our recommendation [...]
[...] use strong password to harden the security of website. Article from blogsecurity.net is describing the unique script which is used by hackers to guess the password. Our recommendation [...]
I found this attack interesting. I would really restrict access to wp-login and wp-admin but the problem I experience is that doing that messes with certain plugins that have settings for general users (subscribe to post, comes to mind).
I think in addition to having a real username picked at installation, it needs to have a places where plugins can have a settings page outside of wp-admin.