The Attack on WordPress

It has been reported in a number of places that WordPress is under attack from criminal elements attempting to commandeer WP servers to create a super botnet. Since I use WordPress.com, the only thing I could think to do was to change my own user password to something even stronger than it was, something that would take an average desktop PC 322 septillion years to crack. Even this does not help me rest very easy, because we’ve seen that more powerful computers are being used to crack passwords much more rapidly, and I don’t know how fast a GPU-equipped machine – or a network of them – would be able to get into my individual account.

wp_bruteforce-640x455

Of course, if someone manages to compromise the servers at wordpress.com where my acccount resides, the whole issue of my own password strength could be moot.

One other disturbing thing – within the last little while, I’ve had a rash of “followers” show up on my blog. Most of them have empty gravatar profiles, no links, no blogs, or are from strange countries like Haiti or Malaysia, places where I would not expect people to take an interest in what I write. Could these followers be related to what’s going on with WordPress? Or is this a devious new way to get linkbacks, akin to comment spam?

I wish I knew. Any other WordPress bloggers experiencing things like this?

The Old Wolf is puzzled.

11 responses to “The Attack on WordPress

  1. Pingback: Seriously, WordPress – Some weird stuff is going on. | Playing in the World Game

  2. Pingback: Hacking WordPress | A German Expat's Life in Texas

  3. Should someone with malice in mind gain access to a store of WordPress users’ passwords, it is highly likely that what they find consists of not the plain-text passwords themselves, but rather the hashed and encrypted versions of same. A hash is a complex mathematical one-way checksum of a set of data, with “one-way” meaning that you cannot work your way back to the original password from the hash.

    Knowing that the hash is, say, “9892a0eb 6d411ec5 3c01c4ef 8750bca1 48db650f”, does not tell you that the password is “MyExc3llentP455worD”. Rather, the would-be intruder has to count through every possible password combination one by one, hash them and compare them to the captured hash. Only when a complete match is found (and it has to be 100% – there’s no such thing as a partial match), only then is your password truly compromised. With a sufficiently complex and non-common password, this is likely to take many years.

    And I haven’t even started on salted and encrypted hashes yet.

    So how DO passwords get broken? Human nature, mostly. A sad but significant percentage of password users still tend to choose easy-to-guess passwords. There’s a long and publicly available list of the most common passwords that yours better not be on, because that’s likely to be checked first. Then names, dates, common dictionary words and so on, before the attacker even begins on brute force counting.

  4. A small a’propos to password security: I spoke with a client who called on our tech hotline, and he complained about the pointlessness of Windows passwords. “All someone has to do,” he said, “is type my first name, which is right there on the screen, and they’re in!”

    He was worried because it was his work computer, full of sensitive information, and it had been set up by the IT guys at his office. One half point for guessing which super-strong password they had picked for him. He said he “would have words with them” first chance he got.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s