This entry was posted in WordPress Security on February 10, 2014 by Mark Maunder 35 Replies

Update at 10am EST, Feb 11th: The attack appears to be abating with brief spikes in activity. We’ve upped the amount of attacks you see on the security map on www.wordfence.com to 50% and as you can see traffic is reduced. We’re continuing to monitor this and will email an update if necessary.

As of 11am eastern time this morning we are monitoring the largest distributed brute force attack on WordPress installations that we’ve seen to date. The real-time attack map on www.wordfence.com became so busy that we’ve had to throttle the amount of traffic we show down to 4% of actual traffic.

Starting at 11am EST this morning we saw a roughly 30 times increase in the volume of brute force attacks across WordPress websites running the WordPress.org software. The attack ramped up so quickly that we initially questioned the data we were seeing and immediately deployed code to verify that the reports we were receiving were accurate and not an attack on our own systems. Within a few seconds it became clear that the attack was in fact real and being reported from across the universe of WordPress websites.

Some definitions if you’re not in the InfoSec field: A brute force attack is when an attacker tries many times to guess your username password combination by repeatedly sending login attempts. A distributed brute force attack is when an attacker uses a large number of machines spread around the internet to do this in order to circumvent any blocking mechanisms you have in place.

If you’re using the free or paid version of Wordfence you should have the option to “Participate in the real-time Wordfence security network” under ‘Other options’ enabled. This will immediately block any attack originating from an IP address that has attacked other WordPress sites. This is an effective defense against this kind of attack.

We recommend that until this passes you monitor your WordPress websites closely for unusual activity including logins, account creation or changes to the public facing website.

We will continue to monitor this attack and will post updates here and on our WordPress Security mailing list which you can subscribe to on this page.