Attacks/Breaches
4/15/2013
11:21 AM
Connect Directly
RSS
E-Mail
50%
50%

WordPress Hackers Exploit Username 'Admin'

Thousands of WordPress sites with accounts that use the common default username 'admin' have been hacked. One theory: the creation of a large WordPress botnet.

Anonymous: 10 Things We Have Learned In 2013
Anonymous: 10 Things We Have Learned In 2013
(click image for larger view and for slideshow)
Attention, WordPress users: If you have a WordPress username set to "admin," change it immediately.

That warning was issued Friday by WordPress founder Matt Mullenweg, in the wake of reports that thousands of WordPress sites with an administrator username set to "admin" or "Admin" had been compromised via large-scale brute force attacks. Service provider HostGator, notably, reported Thursday that "this attack is well organized and ... very, very distributed; we have seen over 90,000 IP addresses involved in this attack."

According to survey website W3Techs, approximately 18% of all websites -- by some estimates, about 64 million sites -- run WordPress.

[ Could a hacker use a smartphone to bring down your plane? Read Airplane Takeover Demonstrated Via Android App. ]

Successfully exploited sites get a backdoor installed that provides attackers with ongoing access to the WordPress site, regardless of whether a user subsequently changes the password guessed by attackers. Exploited sites are then used to scan for WordPress installations, and launch the same type of attack against those sites.

Thankfully, a quick solution to the attacks is at hand: ensure no WordPress site uses any of the targeted usernames, which include not just admin and Admin but also "test," "administrator" and "root."

Anecdotal evidence suggests that many WordPress installations are still using the default setting of "admin" for their administrator account. "Almost 3 years ago we released a version of WordPress (3.0) that allowed you to pick a custom username on installation, which largely ended people using 'admin' as their default username," said Mullenweb in a blog post. "If you still use 'admin' as a username on your blog, change it, use a strong password, if you're on WP.com turn on two-factor authentication, and of course make sure you're up-to-date on the latest version of WordPress."

But what are attackers after? "The discussion at the moment is the creation of a large WordPress botnet. While we haven't seen evidence of this, it's an interesting theory," said Tony Perez, COO of security firm Sucuri, in a blog post. He noted that WordPress botnets have already been used by brobot -- aka itsoknoproblembro -- toolkit-using attackers who've been compromising large numbers of legitimate sites and using them to launch distributed denial-of-service (DDoS) attacks against U.S. financial institutions' websites. A self-described Muslim hacktivist group, al-Qassam Cyber Fighters, has taken credit for the months-long attack campaign. But there's no evidence that the WordPress admin-account attacks are being conducted by the same group.

The WordPress "admin" attacks aren't new, but they've recently tripled in volume. "We were seeing 30 to 40 thousand attacks per day the last few months. In April 2013, it increased to 77,000 per day on average, reaching more than 100,000 attempts per day in the last few days," said Sucuri CTO Daniel Cid in a blog post. "That means that the number of brute force attempts more than tripled."

According to Cid, of the approximately 1,000 different password guesses used by attackers, the six most commonly guessed passwords are "admin," "123456," "666666," "111111," "12345678" and "qwerty."

The advice to change frequently used admin-level credentials -- and to use a strong password -- applies to users of both the hosted WordPress.com site that offers hosted blogs, as well as the standalone WordPress software that is downloadable from WordPress.org. To date, however, only WordPress.com offers two-factor authentication built in. But two-factor authentication can be added to standalone WordPress installations using software from Duo Security that can generate one-time codes for log-ins, via either a smartphone app or SMS.

Other defenses against the WordPress attackers include using a Web application firewall to block the attacks. Other users, meanwhile, have reported using a variety of WordPress plug-ins -- including Lockdown WP Admin, Better WP Security and Bulletproof Security -- or simply restricting access to wp-admin, which provides access to the WordPress admin console, to approved IP addresses.

Eliminating the account names most often targeted by attackers, however, might be the quickest and least expensive solution for most users, at least in the short term. "Do this and you'll be ahead of 99% of sites out there and probably never have a problem," WordPress founder Mullenweg said. "Most other advice isn't great -- supposedly this botnet has over 90,000 IP addresses, so an IP limiting or login throttling plug-in isn't going to be great (they could try from a different IP a second for 24 hours)."

People are your most vulnerable endpoint. Make sure your security strategy addresses that fact. Also in the new, all-digital How Hackers Fool Your Employees issue of Dark Reading: Effective security doesn't mean stopping all attackers. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
dfiel
50%
50%
dfiel,
User Rank: Apprentice
4/16/2013 | 11:34:36 PM
re: WordPress Hackers Exploit Username 'Admin'
"If you have a WordPress username set to "admin," change it immediately."

I'm running the latest WordPress 3.5.1 and it says "Usernames cannot be changed." on the edit profile page. So instead, you need to create a new admin user. Then login as your new administrator either delete the stock admin user or set its role to "No role for this site".
Mathew
50%
50%
Mathew,
User Rank: Apprentice
4/17/2013 | 9:42:18 AM
re: WordPress Hackers Exploit Username 'Admin'
Thanks for the tip, dfiel. Best probably to delete "admin" entirely and use something random/obscure. Here's to password managers/vaults ...
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-3409
Published: 2014-10-25
The Ethernet Connectivity Fault Management (CFM) handling feature in Cisco IOS 12.2(33)SRE9a and earlier and IOS XE 3.13S and earlier allows remote attackers to cause a denial of service (device reload) via malformed CFM packets, aka Bug ID CSCuq93406.

CVE-2014-4620
Published: 2014-10-25
The EMC NetWorker Module for MEDITECH (aka NMMEDI) 3.0 build 87 through 90, when EMC RecoverPoint and Plink are used, stores cleartext RecoverPoint Appliance credentials in nsrmedisv.raw log files, which allows local users to obtain sensitive information by reading these files.

CVE-2014-4623
Published: 2014-10-25
EMC Avamar 6.0.x, 6.1.x, and 7.0.x in Avamar Data Store (ADS) GEN4(S) and Avamar Virtual Edition (AVE), when Password Hardening before 2.0.0.4 is enabled, uses UNIX DES crypt for password hashing, which makes it easier for context-dependent attackers to obtain cleartext passwords via a brute-force a...

CVE-2014-4624
Published: 2014-10-25
EMC Avamar Data Store (ADS) and Avamar Virtual Edition (AVE) 6.x and 7.0.x through 7.0.2-43 do not require authentication for Java API calls, which allows remote attackers to discover grid MCUser and GSAN passwords via a crafted call.

CVE-2014-6151
Published: 2014-10-25
CRLF injection vulnerability in IBM Tivoli Integrated Portal (TIP) 2.2.x allows remote authenticated users to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.