homepage Welcome to WebmasterWorld Guest from 54.196.122.247
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member
Home / Forums Index / Code, Content, and Presentation / WordPress
Forum Library, Charter, Moderators: lorax & rogerd

WordPress Forum

This 31 message thread spans 2 pages: 31 ( [1] 2 > >     
Global Wordpress Brute Force Flood Underway
it's not Google - it's Hackers!
backdraft7




msg:4564179
 12:51 pm on Apr 12, 2013 (gmt 0)

Over the past week we have been reporting strange patterns where traffic just stops cold. Our serps look fine, but traffic is sparse and the little making it's was through is not producing.

Our knee jerk reaction is to blame Google, but after reporting my observations to my web host, they finally opened up and released a statement. This is affecting "virtually every web host in existence".

Please read this article and take appropriate action: change your WP password immediately and update to the latest version and plugins. I have suspended all non essential hosts until this blows over...if ever!
Damn hackers!

Global Wordpress Brute Force Flood 4/11/2013 : [blog.hostgator.com...]

 

jpch




msg:4564411
 2:21 am on Apr 13, 2013 (gmt 0)

This might be helpful:

https://gist.github.com/boogah/5373406

tedster




msg:4564413
 2:40 am on Apr 13, 2013 (gmt 0)

This is serious. A 90,000 IP address botnet is at work in the brute force attack.

According to Web site security firm Incapsula, those responsible for this crime campaign are scanning the Internet for WordPress installations, and then attempting to log in to the administrative console at these sites using a custom list of approximately 1,000 of the most commonly-used username and password combinations.

[krebsonsecurity.com...]

netmeg




msg:4564488
 1:53 pm on Apr 13, 2013 (gmt 0)

Also, make sure none of your admin accounts use the username "admin".

nomis5




msg:4564491
 2:22 pm on Apr 13, 2013 (gmt 0)

Also, make sure none of your admin accounts use the username "admin".


And doesn't have a password of "password"!

shoreline




msg:4564498
 2:53 pm on Apr 13, 2013 (gmt 0)

You can also add the following to your htaccess file inside your public_html directory which will then protect all the Wordpress websites under that folder.

Only catch is, if your IP address changes, you'll need to modify that one htaccess file before you can log into your Wordpress sites. Small price to pay for additional security of many Wordpress installations.

<files wp-login.php>
order deny,allow
Deny from all
allow from 1.2.3.4
</files>

httpwebwitch




msg:4564510
 3:47 pm on Apr 13, 2013 (gmt 0)

Password protect your WP login page! It's one of many, many improvements you can make to harden wordpress, against brute force attacks, DoS attacks, scannerz and scraperz and bots zombiez and vampirez etc.

on the command line:

> htpasswd -c /path/to/web/root/.wplogin your_name

then put this in your .htaccess:

<FilesMatch "wp-login.php">
AuthName "Restricted Access"
AuthType Basic
AuthUserFile /path/to/web/root/.wplogin
require valid-user
</FilesMatch>

There are lots of wicked tutorials on the interweb explaining how to do that better than I have.

dvduval




msg:4564559
 8:55 pm on Apr 13, 2013 (gmt 0)

Make it look like you site is not running wordpress, or better yet, don't use wordpress! I don't lose any sleep over wordpress because I am not running it.

seoskunk




msg:4564568
 9:20 pm on Apr 13, 2013 (gmt 0)

I can't help feeling good luck to them, so many wordpress sites created as feeder link sites or just pure dross you gotta think they deserve to be hacked!

incrediBILL




msg:4564573
 9:36 pm on Apr 13, 2013 (gmt 0)

If you still use WordPress saying "I told you so" would be redundant so instead I'll say "I informed you thusly".

It's a good time to think about using WordPress hosting separate from your server or Drupal, something that takes the crosshairs off your site.

lorax




msg:4564620
 2:13 am on Apr 14, 2013 (gmt 0)

>> crosshairs

It doesn't matter what CMS you use, someone's out there looking for ways to hack it.

incrediBILL




msg:4564653
 6:06 am on Apr 14, 2013 (gmt 0)

It doesn't matter what CMS you use, someone's out there looking for ways to hack it.


That would be incorrect as I'm going out on a limb that some developers think more about security and do more code review than others which is the risk of Agile development in that things ship before it's safe to ship because things literally aren't thought out as well as it's the nature of the beast by definition.

lorax




msg:4564705
 1:14 pm on Apr 14, 2013 (gmt 0)

Ah.. as far as code development goes - yes, I agree with that. And because of popularity of WP, the likelyhood of bad code being released is greater and therefore a larger attraction to hackers. So the focus/attraction is larger for WordPress sites than it would be on, say a Drupal site or homegrown CMS.

dataguy




msg:4564726
 4:32 pm on Apr 14, 2013 (gmt 0)

My multi-user CMS has 30,000 active members, and over 300,000 pages, and every content page accepts comments without a captcha, even from from anonymous users.

My secret? It's my own software, and it's not worth hackers' time to write a bot or deploy a botnet for my one-of-a-kind website.

I've considered switching to Wordpress MU in the past. It's times like this that make all the extra work worth it.

backdraft7




msg:4564853
 3:59 am on Apr 15, 2013 (gmt 0)

According to my hosting company, this attack is "ongoing". It is coming in waves and besides just messing with wordpress, this is tantamount to a DDOS attack and is holding up other traffic, even to your html sites. Sunday morning the attack lessened and sales became brisk, but it picked up heavy by noon and blasted servers all day. People sat on pages that took way too long to load so they bailed.

Can't say it's much worse than Googlebot who has also been hammering our server, accounting for over 50% of today's traffic.

diberry




msg:4564861
 5:06 am on Apr 15, 2013 (gmt 0)

If one argues that people shouldn't use Wordpress because its popularity makes it a target, one should also argue against the use of Windows PCs for the same reason, if one wishes to appear consistent. ;)

Wordpress out of the box is not without vulnerabilities - just like a PC without virus software. But in both cases, there's a lot you can do to make them more secure. You just have to be aware there's a problem, find out what you need to do, and then do it.

incrediBILL




msg:4564870
 6:39 am on Apr 15, 2013 (gmt 0)

Comparing WordPress to Windows is a bit silly as MS spends many millions on security and since Windows Vista/7/8 has made huge strides to clean up their act and for the first time ever wasn't on the top 10 vulnerability lists while Apple finally made those lists. They may get a lot of flack but Windows isn't the problem most of the time, it's all the other stuff people run on Windows causing the problems such as Java, etc. Likewise, Linux servers when configured properly are pretty dang secure until you install something like WordPress on the server. For the most part it's almost always the 3rd party software that allows hackers to gain access to the OS, not the OS itself, yet the OS takes the heat for their 'vulnerability' which is nonsense.

WordPress, to the best of my knowledge, has never spent that kind of cash and resources to secure their software or we probably wouldn't be having this conversation. People shouldn't have to waste time trying to harden WordPress as it should ship as hardened as possible but that isn't the case. The areas of vulnerability aren't that great in the out-of-the-box product and a team of engineers could harden the heck out of the default product and stop the madness yet it never happens.

Not that I'm a security expert nor do I play one on TV but I do know what's blatantly bad coding practice and what's good coding practice and you can't afford to ever cut corners and be sloppy as someone out there will be waiting for that golden opportunity to prove not only are they smarter than you, but they have all your customer's credit card numbers and have already sold them to the Russians! :)

jecasc




msg:4564883
 7:31 am on Apr 15, 2013 (gmt 0)

If Wordpress where that vulnerable, the current attackers would probably not do a brute force attack on passwords but try to find and then use an exploit in the source code.

They are not targeting Wordpress but stupid users who use "admin" as username and a dictionary word as password.

alika




msg:4565008
 6:51 pm on Apr 15, 2013 (gmt 0)

Our servers crashed last week after a load of attempts to login to our Wordpress. As mentioned here, we password protected our Wordpress login for added security

However, since we put in place the password protection, we got a notice from Google webmaster tool about "Increase in authorization permission errors". GWT was reporting errors in the form of

wp-login.php?redirect_to=http%3A%2F%2Fwww.DOMAIN.com%2FCATEGORY%2FPOSTNAME

We've done this in the past when we had a massive attack, and Google did not raise a fit. So we had to remove the password protection in the meantime to appease the google gods. The authorization permission errors stopped climbing up, but stagnated (we were hoping it would go down).

diberry




msg:4565031
 8:49 pm on Apr 15, 2013 (gmt 0)

Alika, that's too bad.

One of my hosts took it upon themselves to secure the shared servers against these attacks. They do a really good job of educating Wordpress users on how to be secure, but then they also take responsibility for it at the server level.

If you do a search, you can find blogs reporting what usernames and passwords the attack is targeting. If you don't use any of them (and you shouldn't), you should be safe. That said, some of the passwords the hackers are using were very strong and bizarre, which no one understands at this point (no one I've read anyway).

incrediBILL




msg:4565069
 12:50 am on Apr 16, 2013 (gmt 0)

We've done this in the past when we had a massive attack, and Google did not raise a fit. So we had to remove the password protection in the meantime to appease the google gods.


When would you let Google crawl your admin pages?

That's insane.

GlobeTradex




msg:4565221
 11:59 am on Apr 16, 2013 (gmt 0)

One should avoid using common username "admin". Use a combination of alpha numeric and special symbols while creating password and username.

Queldorei




msg:4565240
 1:41 pm on Apr 16, 2013 (gmt 0)

I did this way
location /wp-login.php {
valid_referers site.ru;
if ($invalid_referer) {
return 444;
}
}

lorax




msg:4565247
 2:31 pm on Apr 16, 2013 (gmt 0)

I'm seeing evidence of the botnet attack - straightup uname/pwd attempts. But I also see an increase in injection attacks as well. Both started about the same time - last Friday.

Panthro




msg:4565250
 2:39 pm on Apr 16, 2013 (gmt 0)

There always hacking the .htaccess file!

4serendipity




msg:4565448
 1:13 am on Apr 17, 2013 (gmt 0)

I don't lose any sleep over wordpress because I am not running it.


That pretty much sums up my attitude.

I have some fond memories of early versions of wordpress, mostly because they spent time on making the software's interface usable. On the security front, they've, unfortunately, have always seemed to be a step behind.

graeme_p




msg:4565490
 5:38 am on Apr 17, 2013 (gmt 0)

When would you let Google crawl your admin pages?


Googlebot does not want to crawl the admin pages. It is complaining that the login page is crawlable: it is probably linked to from the rest of the site if its a typical WP theme.

THis problem is not a flaw is WP. Its a brute force attack that works on people who pick bad passwords. The only fault in WP was using the default username "admin".

alika




msg:4565604
 12:18 pm on Apr 17, 2013 (gmt 0)

it is probably linked to from the rest of the site if its a typical WP theme.


Login page is not linked to from the rest of the site. It's a highly customized WP theme and we made sure we don't link the login page anywhere

graeme_p




msg:4565605
 12:28 pm on Apr 17, 2013 (gmt 0)

Which begs the question of why Googlebot was trying to crawl it at all.

lucy24




msg:4565735
 7:07 pm on Apr 17, 2013 (gmt 0)

If you do a search, you can find blogs reporting what usernames and passwords the attack is targeting.

If you do a search and don't word your query exactly right, you will instead find loads of useful and informative discussions on how to change, recover or reset a forgotten password via assorted ventures into the sql database.

For a given definition of "change", "recover" etc. anyway.

Don't some people deal with crawler authorization issues by using the "Satisfy any" construct, meaning that a visitor has to either log in or be the Googlebot?

This 31 message thread spans 2 pages: 31 ( [1] 2 > >
Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Code, Content, and Presentation / WordPress
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved