Updates on WordPress security, Wordfence and what we're cooking in the lab today.

Breaking: Aggressive WordPress Brute Force Attack Campaign Started Today, 3am UTC

This entry was posted in WordPress Security on December 18, 2017 by Mark Maunder   50 Replies

A massive distributed brute force attack campaign targeting WordPress sites started this morning at 3am Universal Time, 7pm Pacific Time. The attack is broad in that it uses a large number of attacking IPs, and is also deep in that each IP is generating a huge number of attacks. This is the most aggressive campaign we have seen to date, peaking at over 14 million attacks per hour.

The attack campaign was so severe that we had to scale up our logging infrastructure to cope with the volume when it kicked off, which makes it clear that this is the highest volume attack that we have seen in Wordfence history, since 2012.

The campaign continues to ramp up in volume during the past hour as we publish this post. A graph of the attack volumes is shown below which shows the number of attacks per hour and the number of attacking IPs that we see each hour.

Our infrastructure automatically blacklisted the participating IPs in real-time and distributed those to our Premium customers. This all happened unattended early this morning. We continue to monitor the campaign and are analyzing its origin and who is behind it.

What we know at this time:

  • The attack has so far peaked at 14.1 million attacks per hour.
  • The total number of IPs involved at this time is over 10,000.
  • We are seeing up to 190,000 WordPress sites targeted per hour.
  • This is the most aggressive campaign we have ever seen by hourly attack volume.

A possible explanation for this new massive increase in brute force attacks

On December 5th, a massive database of hacked credentials emerged. It contains over 1.4 billion username/password pairs. Approximately 14% of the database contains credentials that have not been seen before. The database is also searchable and easy to use.

Historically, brute force attacks targeting WordPress have not been very successful. This new database provides fresh credentials that, when matched with a WordPress username, may provide a higher success rate for attackers targeting sites that do not have any protection.

Protecting Yourself

If you have not already done so, install Wordfence immediately on your site. Even the free version of Wordfence provides excellent brute force protection by limiting login attempts and hiding usernames while employing a variety of other mechanisms to ward off attackers.

The Premium version of Wordfence uses a real-time IP blacklist to completely block attackers. Our real-time blacklist was automatically updated as this attack started early this morning to immediately block IPs engaging in the attack. As you can see from the chart above, we are already monitoring over 10,000 unique IPs and actively blocking them.

We strongly recommend that you upgrade to Wordfence Premium to benefit from the real-time blacklist feature which blocks any traffic from these malicious IPs.

Spread the Word

This is the highest volume brute force attack we have seen to date. It may also be using the fresh credentials that were provided in the database released on December 5th, so it may achieve a higher than normal success rate. Please spread the word among the WordPress community to create awareness of this new threat. You can suggest the following actions to your fellow WordPress site owners:

  1. Install a firewall like Wordfence that intelligently blocks brute force attacks.
  2. Ensure that you have strong passwords on all user accounts, especially admin. Wordfence Premium provides password auditing capability.
  3. Change your admin username from the default ‘admin’ to something harder to guess.
  4. Delete any unused accounts, especially admin accounts that you don’t use. This reduces your attack surface.
  5. Enable two-factor authentication on all admin accounts. Wordfence Premium provides two-factor.
  6. Enable an IP blacklist to block IPs that are engaged in this attack. Wordfence Premium provides a real-time IP blacklist.
  7. Monitor login attempts by configuring alerts when an admin signs into your website. Wordfence (free version) provides this.
  8. Do not reuse a password on multiple services. That way if you have a password from a data breach in this new database, it won’t be the same as your WordPress admin password. You can use a password manager like 1password to manage many passwords across services.

Did you enjoy this post? Share it!

50 Comments on "Breaking: Aggressive WordPress Brute Force Attack Campaign Started Today, 3am UTC"

Chuck December 18, 2017 at 1:44 pm • Reply

We noticed a sustained load increase across our servers. Upon investigation we found the same things, a large amount of IPs hitting WP login pages and xmlrpc.php.

We have systems in place that automatically block these attacks / IPs for any WordPress sites not using Wordfence or who may not have it configured for this protection.

It is rare I need to start manually blocking ranges but this is one of those times!

Thanks for the article I will be sharing it.

Jay December 18, 2017 at 2:48 pm • Reply

Just in case:
- https://wordpress.org/plugins/disable-xml-rpc/
- https://wordpress.org/plugins/disable-json-api/

Rick Rouse December 18, 2017 at 1:46 pm • Reply

Thanks for the heads-up. Awesome work!

Rich Stern December 18, 2017 at 1:51 pm • Reply

Appreciate the heads up.

In addition to WordFence on likely-to-be-vulnerable domains, I find that fail2ban is an excellent solution against this type of attack. An aggressive, brute force attack against one WordPress site on a server will get an IP jailed not just for that site, but for all sites on the same server, WordPress or otherwise.

Chook December 18, 2017 at 1:54 pm • Reply

No need to worry... It's everyone doing their last minute Online Christmas Shopping :)
Forgotten their passwords from last year... lol

But in all seriousness, thanks for the update and an amazing security plugin.
Merry Christmas/Happy Holidays

Michael Ha December 18, 2017 at 1:55 pm • Reply

Thanks for the heads up.

Yahkal December 18, 2017 at 1:58 pm • Reply

Thanks alot for your service

Alexander Schestag December 18, 2017 at 2:02 pm • Reply

I think, in such emergencies, you should immediately update the blocked IPs for everyone. It is absolutely legitimate to make money with your service, but in emergencies, security for everyone is a greater good.

Mark Maunder December 18, 2017 at 2:12 pm • Reply

Hi Alexander,

I'd love to do that. Unfortunately producing the list is expensive. We need to collect a huge volume of data on servers which costs us hardware, bandwidth, people. Then we need to analyze it which costs us a large scaleable cluster which aggregates the data and runs queries continuously. Then we need to distribute the blacklist in real-time.

Costs are: bandwidth, hardware, software, services and mostly people. If we gave it away for free, it wouldn't exist for very long because we would not be able to continue to afford producing the blacklist, along with the other amazing WF premium features.

We've long had a philosophy where we only charge for things that cost us money. I feel pretty good about that because in each case, we HAVE to charge, rather than just doing it by choice. We also try to keep our price-point as low as we can to provide a huge amount of value for our customers.

Regards,

Mark.

JOE R MCDANIEL December 18, 2017 at 2:33 pm • Reply

I've been seeing a lot of dummy email addresses for subscribers lately. Not sure if related to this attack. I've been deleting them periodically.

Dan December 18, 2017 at 2:47 pm • Reply

...and in reality, wordfence is pretty fair price for the quality of the plugin, and the ongoing effort you guys put into it. Thanks for the update, and the protection!

Mark Maunder December 18, 2017 at 4:27 pm • Reply

Thanks Dan!

Cat December 19, 2017 at 3:46 am • Reply

Hi Mark,
Maybe you should publish those IPs you've found.

Mark Maunder December 21, 2017 at 10:27 am • Reply

We don't publish our IP blacklist publicly. It is available as a Wordfence Premium feature.

Greg December 18, 2017 at 7:59 pm • Reply

You are 100% on the ball with that. In a situation like this EVERYONE should be 100% protected.

Shane73 December 20, 2017 at 1:29 pm • Reply

I am going to have to disagree with you there Greg. It is not some kind of right you have to get premium services without paying for it.

You don't get to demand someone else's services when you think you have the right to them.

I use the premium plugin on all of my client's sites, and some of my own personal sites. Some smaller sites that I don't have as much of an investment in just run the free version.

But I do not expect the team at WordFence to cover me with premium services when I do not pay for it.

Gary Arnell December 19, 2017 at 7:06 am • Reply

Premium is totally worth it. Thanks for such a great plugin and great service!

Lucy Turowiecki December 18, 2017 at 2:22 pm • Reply

Gracias por el aviso, mas eficaces imposible! EXCELENTE SERVICIO.

Rick December 18, 2017 at 2:25 pm • Reply

Wouldn't it be better to forget about Wordpress altogether and have a much faster completely secure site by using a static site generator like Hugo?

Mark Maunder December 18, 2017 at 2:37 pm • Reply

That is not feasible for many.

Rick December 18, 2017 at 2:49 pm • Reply

That's unfortunate because so many are affected unnecessarily. A little education about how easy it is to have a static website with all of the dynamic functionality handled by microservices would enhance their web presence dramatically. Saving them time, money and aggravation.

debbie December 21, 2017 at 7:41 pm • Reply

static websites may be more secure however they are also unusable to most clients who want to do their own updates and work. We stopped doing all static sites 18 months ago for this reason.

Sites need to be fluid and changing and easily accessible to the non technical.

it is not all about security.

David Finch December 18, 2017 at 4:44 pm • Reply

With 30% of all websites now running on WordPress why on earth would we switch to Hugo.
Thanks Wordfence for the brilliant work you do for all of us.

Mark Maunder December 18, 2017 at 6:13 pm • Reply

Weeeelll, so I think the WP team to a pretty good job of marketing. Lets put it that way. Static sites do have some benefits, but that's if you are just publishing content. If you want a web application that is dynamic, WP is the way to go. So there's a place for both and I certainly welcome diversity in platforms.

Mark Gillespie December 18, 2017 at 2:41 pm • Reply

Wonder if this brute force attack has anything to do with the Internet backbone problems being reported by Level 3 and Cogent today?

http://www.slate.com/blogs/future_tense/2017/12/18/the_internet_is_really_slow_right_now.html

Mark

Dallin Chase December 18, 2017 at 3:00 pm • Reply

Thanks for the updates guys, it's great to be as prepared as possible.

Dennis H Wilen December 18, 2017 at 3:05 pm • Reply

It's not 7 PM PST yet. Is this report from the future?

Mark Maunder December 18, 2017 at 4:27 pm • Reply

7pm PST yesterday, 3am UTC today.

Ronan December 18, 2017 at 3:53 pm • Reply

I have no doubt for one second that the attacks are timed when staff are preparing for the holidays and some downtime. It was this time last year my server was heavily bombarded with Brute Force attacks. 3 client sites were compromised. New Year's eve plans were put on hold because of this. Could be the same again this year.

Mark Maunder December 18, 2017 at 4:26 pm • Reply

Hope his doesn't ruin your plans!!

Leslie December 18, 2017 at 4:15 pm • Reply

Thank you for helping to keep the WWW a more secure place for everyone!

Nobby December 18, 2017 at 5:56 pm • Reply

Thanks for the support and heads up Mark.
This rubbish is exactly why I will no longer use WordPress.
Just this week I have already shifted my sites across to another platform.
I feel for everyone who has no idea on the simplest security measures, including the free level of Word Fence let alone paying for the Premium version.
It's not what it costs up front, but the cost to repair, replace or fix what has been lost.

Mark Maunder December 18, 2017 at 6:11 pm • Reply

Sorry to hear that. I do think it's possible to reap all the benefits of WP and also secure it. Wordfence runs WP and I run it on my personal sites.

Steve December 18, 2017 at 7:28 pm • Reply

Whatever you switched to has its own security issues. The attacks can also put a smaller load on those servers too (if the attack is dumb and target all sites).

Eduardo Silvestre December 18, 2017 at 6:34 pm • Reply

Do you have any feed with malicious IPs/attacker’s?

Dan Moen December 19, 2017 at 7:02 am • Reply

Hi Eduardo, our real-time IP blacklist is that very feed. You can enable it on your site by enabling the "Preemptively block malicious IP addresses" option in the firewall. It's a Premium feature.

Pete Wright December 18, 2017 at 7:12 pm • Reply

Wow - thanks for keeping on top of this, and for letting us know. This sort of thing isn't a problem with WP per se, it's just a tradeoff of dynamic sites. Sure, generated static sites can be great, but folks often expect/need more than those can provide cost-effectively. Same reason they tend to favour cars even when walking would be safer.

Lloyd December 18, 2017 at 8:52 pm • Reply

I also found that these issues on the Backbone and Cogent servers are related to a significant brute force attempt through TightVNC clients.

The attempts have been discovered for short periods over the past 10 days, but have increased to many thousands of attempts on many IPS across our network.

Manthan December 18, 2017 at 9:36 pm • Reply

Hi,
This is confirmed.
My site was also under brute force attack. All the IPs were from Vietnam and they were all different. I received atleast 100 emails from my site about blocking of brute force login attempt by WordFence, and I am using Free version.
Kudos to WordFence team.

Alex December 19, 2017 at 4:26 am • Reply

The 1password is not secure at all :
http://bgr.com/2017/02/24/uber-1password-fitbit-and-okcupid-user-data-exposed-by-massive-security-flaw/
https://thehackernews.com/2017/02/password-manager-apps.html

Mark Maunder December 21, 2017 at 10:26 am • Reply

The Cloudflare/cloudbleed breach actually showed that 1password is fairly robust. That was not a 1pass flaw but a Cloudflare issue.

The second article makes a lot of noise about things that could be improved in password managers in general. 1pass is doing a pretty good job as far as I'm aware. Sure, you're going to get the odd vulnerability reported, but that applies to anything.

You state: "The 1password is not secure at all".

That is factually incorrect. At the time of this writing, 1password does not have any outstanding vulnerabilities or other security issues that I'm aware of.

Gordon December 19, 2017 at 1:16 pm • Reply

Thanks for the update. I wish we could afford the premium but with 1500 sites to consider it's just too much. Even the bulk pricing.

That being said you have 10,000 IP's firing at 14 million wordpress sites. This may be a stupid question but why aren't we firing back.

14,000,000 sites shooting queries back at these IP's would/should take down those servers instantly. To hell with the hosting companies taking the money and looking the other way. To hell with the governments that refuse to make this a priority issue in their law enforcement. To hell with collateral damage.

With 14 million wordpress sites we could be the botnet from hell!

If my sites go down because my host is allowing hackers to use it well we're going to be having a discussion about their future with us.

Mark Maunder December 21, 2017 at 10:22 am • Reply

The CFAA does not allow us to hack back, unfortunately.

https://en.wikipedia.org/wiki/Computer_Fraud_and_Abuse_Act

Joe December 19, 2017 at 1:35 pm • Reply

I'd love to see the country demographics for this attack like you used to show. Where is it originating, which countries and Ip's?

Dan Moen December 19, 2017 at 1:41 pm • Reply

Hi Joe, Thanks for the feedback. We'll consider adding that detail if we publish a follow up post.

Matt December 19, 2017 at 11:51 pm • Reply

We've blocked 1.5M requests from this in the past 2 days using our firewall, from 10.2K IP address. Here are the hits by country:

496 K United States
130 K France
84.2 K Netherlands
79.1 K Germany
76 K United Kingdom
49.5 K Canada
39.3 K Singapore
38.7 K Italy
36 K Spain
26.5 K China

Matt Kopala December 19, 2017 at 11:55 pm • Reply

For this particular attack, 98% of the hits (1.39M total) we've had so far at SiteDistrict were using a single User-Agent:

Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.89 Safari/537.36

Enrico December 21, 2017 at 6:48 am • Reply

Hi, does anybody have any clue if this is still on?
We run a mid-sized multiste network and are experiencing extreme loads on our servers from Dec 18, and it kept going until now...

Dan Moen December 21, 2017 at 7:21 am • Reply

Hi Enrico, attack volumes are very low this morning. Check out our post from yesterday, there is an update including a graph toward the end.

Enrico December 21, 2017 at 9:27 pm • Reply

Hi Dan, thanks for the answer!

This morning (I'm in Europe) things seems to be quieter also here...

pheeew :-)


Protect your websites with the #1 WordPress Security Plugin

Get Premium
Over 90 million downloads

Wordfence Newsletter

Get WordPress Security Alerts and Product Updates