Make sure you have backed up your WordPress site. A massive Brute Force Attack is underway.
A massive distributed brute force attack campaign targeting WordPress sites started this morning at 3am Universal Time, 7pm Pacific Time. The attack is broad in that it uses a large number of attacking IPs, and is also deep in that each IP is generating a huge number of attacks. This is the most aggressive campaign we have seen to date, peaking at over 14 million attacks per hour.
The attack campaign was so severe that we had to scale up our logging infrastructure to cope with the volume when it kicked off, which makes it clear that this is the highest volume attack that we have seen in Wordfence history, since 2012.
If you have not already done so, install Wordfence immediately on your site. Even the free version of Wordfence provides excellent brute force protection by limiting login attempts and hiding usernames while employing a variety of other mechanisms to ward off attackers.
The Premium version of Wordfence uses a real-time IP blacklist to completely block attackers. Our real-time blacklist was automatically updated as this attack started early this morning to immediately block IPs engaging in the attack. As you can see from the chart above, we are already monitoring over 10,000 unique IPs and actively blocking them.
We strongly recommend that you upgrade to Wordfence Premium to benefit from the real-time blacklist feature which blocks any traffic from these malicious IPs.
Spread the Word
This is the highest volume brute force attack we have seen to date. It may also be using the fresh credentials that were provided in the database released on December 5th, so it may achieve a higher than normal success rate. Please spread the word among the WordPress community to create awareness of this new threat. You can suggest the following actions to your fellow WordPress site owners:
- Install a firewall like Wordfence that intelligently blocks brute force attacks.
- Ensure that you have strong passwords on all user accounts, especially admin. Wordfence Premium provides password auditing capability.
- Change your admin username from the default ‘admin’ to something harder to guess.
- Delete any unused accounts, especially admin accounts that you don’t use. This reduces your attack surface.
- Enable two-factor authentication on all admin accounts. Wordfence Premium provides two-factor.
- Enable an IP blacklist to block IPs that are engaged in this attack. Wordfence Premium provides a real-time IP blacklist.
- Monitor login attempts by configuring alerts when an admin signs into your website. Wordfence (free version) provides this.
- Do not reuse a password on multiple services. That way if you have a password from a data breach in this new database, it won’t be the same as your WordPress admin password. You can use a password manager like 1password to manage many passwords across services.
Have a great night and stay safe…