Video Screencast Help
Cyber Security Services

WordPress Botnet Explodes Over Weekend

Created: 23 Apr 2013
uuallan's picture
+1 1 Vote
Login to vote

WordPress is the most commonly used blogging platform. It is easy to install and has a great ecosystem of plugins and enhancements that extend its capabilities beyond simply posting pictures of your cats. Unfortunately, millions of inexperienced users means that it is also a target for attackers. There are generally two types of attacks against WordPress: Password attacks and Cross Site Scripting. Password attacks can occur in two ways. The first is simply to attempt to use the default passwords, which many users don't bother to change. The second type of password attack is a password guessing attack. WordPress, and its plugins, use a number of well-known defauly usernames (usually: admin) and many users don't look at failed password authentication attempts, making it an easy target for attackers. WordPress, and its plugins, are well-known for being vulnerable to cross site scripting attacks. Just since the beginning of 2013 Symantec has reported 12 vulnerabilities in WordPress, half of which included a cross site scripting component. 

All of these factors have come together to the point where attackers are using WordPress to build a botnet with potentially more than 90,000 nodes. This is not the first time that WordPress sites have been used to build a botnet, but this may be the largest botnet ever created in this manner. 


At Symantec we have seen to big spikes in malicious port 80 traffic over the last week that could be indicitive of these WordPress attacks. Of the top 10 port 80 attacks we are seeing, 3 of them are WordPress related:  WordPress WP Symposium Plugin CVE-2013-2695 Cross Site Scripting, WordPress WP Symposium Plugin 'u' Parameter Open Redirection Vulnerability and WordPress FunCaptcha Plugin Cross-Site-Request Forgery Vulnerability.

If you are using WordPress as your blogging platform, make sure all of your plugins are up to date, change default passwords, and -- wherever possible -- change default login names. In addition monitor administrative logs for password guessing attacks and other unusual behavior.