A huge botnet of home routers has targeted WordPress sites with brute-force attacks over the last few weeks. Brute-force attacks are a risk for WordPress websites with insecure passwords, and they can cause problems even if a site has secure passwords by consuming a significant proportion of its resources.
A botnet is a collection of compromised internet-connected machines under the control of a malicious actor. Botnets are nothing new, but until recently, creating a large botnet was a difficult technical challenge. They were usually made up of hacked Windows PCs. Attackers compromise PCs and install malware, which is used to control the machine. Botnets are used for a wide variety of online crimes, including brute force attacks, distributed denial of service attacks, and spamming.
But in recent years, it’s become more common to see Internet of Things devices used in botnets. In this case, home routers shipped with vulnerable software accessible to the internet. You can see the full technical details in this WordFence post, but, in a nutshell, the routers expose a web server so that ISPs can send instructions to the device. Unfortunately, the web server is easily hacked, allowing criminals to install malicious software.
Tens of thousands of these routers have been used to target WordPress sites with brute-force attacks. Brute force attacks aren’t particularly sophisticated; they simply attempt to login to WordPress sites with guessed username and password combinations. Criminals know which passwords people are most likely to use, which increases their chances of finding the right combination.
Once the attackers figure out a valid username and password combination, they are able to take over the site and install software, deface pages, redirect users to malware sites, send spam, and so on.
If a WordPress site uses strong passwords on all accounts, the chance that a brute-force attack finds the right combination of credentials is minute. Brute-force attacks have an extremely low chance of success against properly secured WordPress sites. However, it’s impossible to guarantee that every user with an account understands how to create and use a decent password, so the best way to combat brute-force attacks is two-factor authentication.
Two-factor authentication combines the traditional username and password with a second factor: usually a one-time code delivered to a mobile device. Without the one-time passwords — which can only be used for a short period of time — the attacker will not be able to authenticate even if they manage to guess the username and password. Two-factor authentication effectively mitigates brute-force attacks.
There are several excellent two-factor authentication plugins for WordPress, including Duo Two-Factor Authentication and Google Authenticator – Two Factor Authentication.
But there remains the problem of resource use. Every time a WordPress site rejects a login attempt, resources are consumed. If a botnet decides to make thousands of login attempts in a short period of time, a substantial proportion of the site’s available resources can be wasted.
To avoid that happening, WordPress users can install a rate limiting plugin like WP Limit Login Attempts, which limits the number of failed login attempts that can be made from an IP address. Rate limiting isn’t a surefire way to beat botnet brute-force attacks, botnets have IPs by the thousand, but it can reduce the resources consumed by malicious login attempts.