Hackers conducting botnet attacks through 20k hacked WordPress sites

Hackers conducting botnet attacks through 20k hacked WordPress sites

A newly published research from Defiant, a WordPress security firm, reveals that there is a botnet hunting for WordPress sites using over 20,000 already compromised WordPress sites. As the new sites are infected, these automatically become part of the bot army and start acting on the directions of the attackers to perform tasks like brute forcing the logins for new WordPress sites.


Defiant further claims that between the IP blacklist and their Wordfence brute-force protection module, more than 5 million authentication requests from the attackers have been blocked by the company. This is a large-scale campaign where infected websites implement dictionary attacks on new, uninfected websites. Using this attack method, the bots can endlessly try different usernames and passwords combination until the real code is identified and the bot manages to break into a WordPress site.

See: 10 Ways to Protect Your WordPress Site You Didn’t Know About

Defiant Security’s Mikey Veenstra offers additional insight into the campaign. According to Veenstra, the botnets are being run by C&C servers that make the infected sites locate and infect other secure sites. More than 14,000 proxy servers are deployed to transmit information across the servers, and a listing of WordPress targets is also identified that the bots will be attacking.

Hackers conducting botnet attacks through 20k hacked WordPress sites
WordPress attack chain

“If the brute force script was attempting to log on to example.com as the user Alice, it will generate passwords like the example, alice1, alice2018, and so on. While this tactic is unlikely to succeed on any one given site, it can be very effective when used at scale across a large number of targets,” stated Veenstra.

“We also noted that the User-Agent strings associated with these requests matched those used by applications commonly seen interacting with the XML-RPC interface, likewp-iphone and,wp-android” added Veenstra.

Basically, brute-force attacks target the WordPress XML-RPC implementation to extract username and password combination for a website and look for valid accounts. XML-RPC is the endpoint (located in the WordPress root directory at the xmlrpc.php file) used by external users to post content on a WordPress site remotely using the WordPress APIs.

The issue with XML-RPC is that in its default implementation it performs rate limiting on the number of API requests issues against it. So, an attacker can try throughout the day to break into the website using different combinations of usernames and passwords. No one will receive an alert unless the logs are manually checked.

Hackers conducting botnet attacks through 20k hacked WordPress sites
Command & Control Server Interface

Reportedly, four C&C serves are utilized by the attackers to issue commands to the army of WordPress botnet. The proxy servers are located at the Best-Proxies.ru service in Russia.

See: WordPress GDPR Compliance plugin hacked to spread backdoor

However, Defiant Security also claims that the botnet isn’t as sophisticatedly created, and hence, it isn’t foolproof. Security researchers have identified the infrastructure that’s supporting these attacks as well as the loopholes present in the authentication system. It is possible to protect your website from the WordPress botnet.

The task of safeguarding your WordPress site involves a lot more than security plugin installation. You need to devise a complete strategy, taking even subtle nuances into consideration. The best possible solution is to install a security plugin that can prevent brute-force attacks/dictionary attacks because the XML-RPC service cannot bypass security plugins even if there are repeated attempts to login on your website.

Related Posts