A lot of digital ink has been spilled regarding the supposedly surprising revelation that there is a concentrated effort going on by an apparent botnet to “hack” into your WordPress installation. Some of the better and/or more interesting writeups have been:
- Brian Krebs
- Sucuri’s post on what the attack actually is (it’s using lists)
- HostGator (including a couple of tips on dealing with it)
It’s important to think about why this attack is happening, and I don’t mean what the eventual goal of the botnet might be. For this attack to be profitable in terms of time and resources, it needs to be worth the effort that is being expended to create it.
Is it happening because the sites in question are running WordPress? Almost certainly not.
It’s happening because users don’t follow good password practices.
I’ll say that again: it’s not happening because WordPress is inherently insecure; it’s happening because you and I have a habit of creating, picking, and using crappy passwords.
Krebs posted a link to the list that’s currently known to be used in this attack, which you can find here. Take a look at it, because if you have had any experience in dealing with access attempts, it will probably look familiar. The vast majority of the usernames that are being tried are admin, and the passwords are by and large passwords that are among the most common passwords chosen by users across every web service in existence, not just WordPress.com.
As the Sucuri blog points out, there are a couple of passwords in there that don’t make a ton of sense compared to the common password list, like these:
6160 [pwd] => #@F#GBH$R^JNEBSRVWRVW
5392 [pwd] => $#GBERBSTGBR%GSERHBSR
5058 [pwd] => %G#GBAEGBW%HBFGBFXGB
5024 [pwd] => RGA%BT%HBSERGAEEAHAEH
4861 [pwd] => aethAEHBAEGBAEGEE%
What this tells us is that it’s not enough just to have a secure password. You need to have more than one. I’ll illustrate with a short story about this happening to me. Remember last year, when LinkedIn and last.fm had a couple of security breaches and they (or at least last.fm) told people it was possible that username and password information had been stolen?
I know from personal experience that they had, because some of my accounts were accessed by people who weren’t me. At the time, I used a “low security” email and password combination, which was exactly the same and used on sites that I considered to be lower in personal priority. Within a few days of the last.fm breach, I started receiving emails from some other services that I didn’t remember asking for. I looked into it, first logging in to my account with EA/Origin (because I knew it was one of those other accounts that shared that email and username combination).
When I did, I found that my EA account was set to display in Russian. It had been accessed using a reverse brute force attack, where the attackers had my combination of email address and password from the last.fm breach and were trying to use it on every web service they could find. Once they knew the combination was valid, it was dumped into a list and used by who knows how many people, trying to see if it gave them access to other accounts.
After going through this—and the associated panic at not knowing which of my accounts were affected—I no longer consider any service or web app I use to be low priority. You shouldn’t, either.
To protect yourself from these kinds of attacks, there are some very simple, slightly paranoid rules you should follow:
- Don’t use a common password. A good list of these is in this post about common Twitter passwords from a few years back.
- Try to avoid using dictionary words in your passwords—or if you are, make a passphrase, which is a very secure option.
- Use a combination of letter case, numbers, and symbols if you’re not using a passphrase.
- Don’t use the same password for more than one site. I can’t stress this enough. Use a password storage application that has encryption and passwording of its own, like 1Password or KeePass.
- Use 2-factor authentication wherever you feasibly can. Google offers this for all accounts. For WordPress, there are a few good plugin options, and on WordPress.com, we offer 2-factor as an option for all users.
- When you set up a new WordPress installation, don’t use admin as your username. Pick something else.
- For self-hosted WordPress installations, know what your security keys are and how to change them if you suspect a breach.
Krebs posted a link to the password policy page on the WordPress.com support site (for which I feel a bit of pride because I helped write its current incarnation), which goes into more detail and starts with easy stuff you can do and moves on to more complicated options. If you want more tips, I suggest you check it out.
Remember that the best option for protecting yourself from password-based attacks is simply to have good personal password policies and stick to them. For any service that uses a single authentication factor, it’s your job to make sure that factor is created and maintained as secure.