Earlier this month, WordPress users across the world (as well as users on other platforms) fell victim to a massive brute-force attack on their sites.
The hack, or attempted hack, used a large botnet (a network of compromised computers doing the bidding of someone else) to repeatedly try and guess passwords on WordPress sites to gain administrative access to them. From there, the botnets would take over the sites and attempt to integrate them into a new bothnet, one made up of high-powered servers with better connections to the Web.
For most sites, the hacking attempt was pretty harmless. If you don’t use the original “admin” account and have a password that is easily guessed, you were most likely safe from the attack. Rather, the attack was an attempt to cast a broad net in hopes of finding the low-hanging fruit, sites that can be trivially broken into.
But while your site is probably fine as long as you took even the most basic precautions, there were still repercussions. The weight of thousands of attempts to login put a strain on many people’s servers, especially if the server had many different WordPress sites. This resulted in websites slowing to a crawl and even shutting down, including ones not directly affected.
But while the worst seems to have passed for now, there are still some lessons to be learned from it and it’s important to grasp them before the next wave hits.
Because if there’s one thing that’s for certain, there is another wave coming.
1. No More “Admin”
The first lesson to glean is that, if your WordPress installation still has a working administrator account with the name “admin”, it’s time to get rid of it.
Your username is, quite literally, your first line of defense. If it is easily guesses, then all someone has to do is figure out your password and they’re in. Don’t make it easier on hackers than it has to be.
With this attack, even if your password had been “12345” (the kind of thing an idiot would have on his luggage), if your username were not “Admin” you’d still be safe.
Make your username something unique to you and something that can’t be easily guessed. Your site will be much more secure and it only takes a few seconds.
2. The Need for Good Hosting
Many WordPress users tend to “cheap out” on hosting, paying only a few dollars per month for a shared hosting account. This works great as long as traffic is low and the site is relatively simple. But if more than a few dozen people come knocking at once trouble can arise, especially if your site isn’t using good caching.
This attack shows that you never know when a traffic spike might strike. Though this hardly had the weight of a traditional DDOS attack, for many sites on low-quality hosts, it had much the same effect.
If your server folded under the weight of this botnet, how is it going to handle a traffic spike from Reddit or a viral post? It probably won’t be able to.
3. The Usefulness of CDNs
One of the first sources to talk about the botnet attack was Cloudflare, a content delivery network that also works to filter out bad bots.
Though many are skeptical of Cloudflare after its over-the-top warnings on the Spamhous DDOS attack, the point remains that services like Cloudflare and Distil, which filter out bad bots, can provide a useful service for mitigating such attacks.
If you aren’t using one of these services, it may be worth taking the time to see if they are right for you.
4. WordPress Itself is Secure
To be clear, WordPress can and from time to time does have security vulnerabilities. However, they are usually patched quickly after discovery. Plugins are much more common sources of traditional vulnerabilities.
However, this wasn’t an attack against WordPress itself. The attackers weren’t exploiting a vulnerability in WordPress’ core. Instead, they were simply knocking on doors hoping to find one unlocked.
If the hackers had found an exploit in WordPress, it’s reasonably safe to say that they would have done so and the attack would have been much worse. However, they didn’t have one and, as a result, they were forced to spend a lot of energy to try and pick of the low-hanging fruit of poorly-secured sites.
5. This Won’t Be the Last Attack
Though this attack was breathtaking in its size, it was not the first attack of its type and it will not be the last.
Inevitably, someone else is going to try and launch a similar offensive, possibly with a larger botnet, using more passwords and creating bigger headaches.
There’s an old samurai saying says, “When the battle is over, tighten your chin strap.” The battle may be over for now, but the next one is just on the horizon. Now is the time to plan.
To be clear, the attack was bad. However, it could have been a great deal worse.
The attackers weren’t really interested in hacking every WordPress site and, instead, were just trying to find easy targets. It’s akin to having thousands of people fan out in a city to try to find unlocked cars with the keys still inside.
The attack only targeted WordPress because it is so common and used by so many people that are inexperienced with security. It had nothing to do with a vulnerability within WordPress itself or any particular plugin.
Since it has passed, now is a great time to be thinking about security of your site and how you’ll protect yourself against the next one, which will likely be bigger and better organized.
Fortunately, the precautions that are most important aren’t that difficult to take. Ditching your “admin” account, if you have one, and setting a good password only takes a few seconds and is probably the most important thing you can do.
If you can do that and keep your installation/plugins up to date, you’ll probably be head and shoulders over many who use WordPress and will be much more likely to get caught in the next wave of hacking attempts.