Starting on Black Friday and going solid through Cyber Monday (after which it slowed only a little), my blog has been getting hit by a distributed brute-force password attack. All weekend, I would get pings that WordPress had blocked yet another IP address, and I couldn’t help but be of two minds. On the one hand, I had to laugh a little – over two hundred IP addresses had been blocked, and I don’t believe they would be able to brute force a 150 bit password with four guesses each. On the other hand, it’s not the IP addresses that are blocked that you have to worry about; it’s the ones that weren’t and succeeded, or, worse, exploited some other vulnerability. Was the brute force password attempts just a distraction?
This gives rise to the question, “are my security measures enough?” Since I was thinking about them anyway, I went ahead and took the time to upgrade a few things that were lacking, and took a hard look at some of the other things I could do.
The first, and most obvious, is to check my password strength, and, in fact, to go ahead and update it. If you think someone is trying to steal your password, there’s no reason not to update it and make it better. Second, and less obvious, was to restrict permissions on the user that I use to blog. In this case, I changed the network superadmin from the user that I post blogs with (which, not surprisingly, is the username they were trying). Now, the superadmin doesn’t post any blogs, so the username should be unknown. This also limits their ability to attack anything outside my blog – i.e. ideally they couldn’t attack the rest of the network. Finally, I did some backups and compared the code to the version I have available – just to be sure that someone didn’t get in and change something in the wordpress or template code.
The thing that is most curious though, is why. If it’s money, or, more specifically, ad space, it’s probably not worth it – my community isn’t large enough to warrant the time. On the other hand if it’s adding additional nodes to a botnet… …I can see the value. Every additional node matters to an operation like this, as they lose nodes over time, so they must replace them to maintain any power. If it’s additional power for a distribution network (porn, pirated software, or other illicit digital goods), again, I can see that it might be worth it for them.
At least for now, they seem to have quieted down – I’m certainly not getting the level of traffic I was a week ago. This, in my mind, is the part that makes me the most scared – what are the chances that they gave up without getting what they came for?
Since you don’t actually manage the WordPress system, I’m not sure what else you can do, other than make a ridiculously difficult password to crack (and usually remember, too, unless you do a horse battery staple correct style password). Separating admin from content is generally a good idea (think sudo), but arguably, the content is what’s actually critically important to the blog (which is why I think there’s something “missing” or at least a disconnect from the notion that a separation of powers is sufficient from a security perspective, a la root vs. non-root user in the Unix/Linux world).