Reports of an attack against WordPress and Joomla sites spread through the tech community this weekend, as a large botnet launched brute-force, dictionary-based login attempts on user accounts. According to researchers at hosting companies like CloudFlare and HostGator, some 90,000 IP addresses were involved in the latest series of attacks, leading them to speculate that the overarching goal is to expand the botnet of infected computers to potentially create a super botnet. With some 18% of websites running WordPress, the potential scale is enormous.
Although the attack is no longer breaking news, we wanted to alert LastPass users and clarify what you should know:
- The attack is focusing on common account usernames – admin, test, administrator, Admin, root – and is systematically testing common passwords to break in to accounts with those usernames. The top five passwords attempted in the hack are “admin,” “123456,” “111111,” “666666,” and “12345678.”
- The goal is not a data dump of user accounts – this is a large-scale attack that aims to take over a user’s machine, using the server as a stepping stone in order to add it to the botnet’s arsenal. A network of compromised machines can wreak havoc in a distributed denial-of-service (DDoS) attack.
- If you are a WordPress user using CloudFlare, you are protected from the latest attack, according to their blog post.
The best steps LastPass users can take at this time:
- If you’re still using a default username on your WordPress account, change it immediately.
- To be on the cautious side, change your WordPress passwords immediately, especially if you are using a common password, as WordPress founder Matt Mullenweg noted on his blog.
- Use LastPass to generate a strong, unique password for your account(s). The LastPass security check, in the Tools menu of the LastPass Icon, will also help you identify weak or duplicate passwords on other accounts.
- If you’re using a WordPress.com account, activate two-factor authentication.