PSA: Massive Botnet Attacks on WordPress Installations

Over the past 24 hours it has come to our attention that a large network of over 90,000 IP addresses have ramped up their use of a brute force attack to target WordPress blog installations. According to several published reports, the botnet is attempting to gain access to WordPress installations by using the default Admin user name and trying multiple passwords. By default, WordPress allows unlimited login attempts either through the login page or by sending special cookies. This allows passwords (or hashes) to be brute-force cracked with relative ease.

Popular hosting providers CloudFlare and HostGator are reporting that the scale of the current attack is much larger than what they typically experience, with some reports claiming that they are blocking 60 million requests per hour during peak times. After reviewing our logs we’ve already noticed several failed login attempts using the username Admin.

What can I do to protect my WordPress installation(s)?

  1. If your username is currently set as Admin, change it to something custom. The easiest way is probably by using something like the Better WP Security WordPress plugin.
  2. Change/strengthen your password. Your password should include capital letters and symbols (%+!#)
  3. Install a plugin to limit login requests.  We use the appropriately titled Limit Login Attempts WordPress plugin, but there are several other plugins with similar functionality.

Once that is done, sit back and hope for the best!

Update: HostGator has provided additional tips.

  • Leave a Comment
  • How to Handle a Hacked WordPress Install

    WordPress is the most popular Content Management System in the world, and a significant percentage of the sites on the Internet use it. That popularity is well-deserved, but it also makes WordPress an irresistible target for hackers who want to spread malware.

    How to Tell if Your Site’s been Hacked

    Sometimes it is obvious that your site has been hacked. Occasionally hackers will simply redirect the site to a different server, so that visitors to your domain end up at a site infected by malware, a site displaying advertising the hacker can profit from, or a porn site. But often hackers add malware or spam links to a site which they want to remain undetected for as long as possible. Having a hacked site can infect your visitors with malware, and it will almost certainly result in a huge hit to your SERP rankings, or even blocking by search engines, so it’s important to be vigilant. There are a number of tools available to webmasters to determine whether a site is vulnerable and whether it has been hacked.

    WP  Security Scan

    The WP Security Scan extension won’t tell you whether your site has been hacked, but it will check for possible attack vectors and vulnerabilities, and offer suggestions for fixes. Of course, often the vulnerabilities will not be in WordPress itself, but in some other part of the software stack. The best way to ensure that there are no known exploits that hackers can use is to keep your software as up-to-date as possible.

    Google’s Safe Browsing Diagnostic

    Google has a service that enables webmasters to see whether they consider a site to be dangerous to visit. Copy the following URL into your browser address bar and replace the part following ‘?site=’ with your site’s URL.

    http://www.google.com/safebrowsing/diagnostic?site=google.com/

    Sucuri

    Sucuri offers a free site scanning service that will catch major problems, and a paid for monitoring and cleanup service that can help if you are hacked.

    Using these tools together can help you ensure that your site remains safe.

    What Should You do If You’ve Been Hacked

    Unless you are an experienced and expert developer or website administrator, cleaning a site with any level of confidence by yourself is almost impossible. Even if you think you have found all the malicious files and removed all the spam links, the files that make up WordPress itself may have been altered so that they reinfect a site after an attempted cleanup.

    Contact your hosting provider and let them know you’ve been hacked. You might not be the only victim and the host provider’s sysadmins may already be taking action.

    Securi, as mentioned above is an excellent tool, and it will attempt to auto-clean your WordPress installation. Should you choose not to use Securi, or hire a professional to clean your site, then the next best option is to delete the site and restore it from backups.

    Hopefully, your site is hosted with a provider that offers a comprehensive backup service, in which case restoring the site to a previous version should be very simple. If not, we are going to assume that you have been making regular backups of your WordPress database.

    Download a fresh install file from WordPress.org, to replace any files that may have been altered during the attack. Do not use the same passwords on the new install as you used on the hacked site.

    After you have installed a fresh version of WordPress you can restore the WordPress database from a backup that you know to be clean.

    Since you know that your site has been hacked once, and that there were vulnerabilities that malicious parties were able to exploit, if possible, it may be best to completely reinstall the server and restore from backups. At the least very scan the server with an anti-malware tool. If you are reasonably sure that the infection was limited to WordPress, then you should update all of your software to the most recent versions, to close vulnerabilities. If you’re using shared hosting your provider should take care of this for you.

    If you haven’t been taking database backups, it may be possible that the WordPress database has not been breached, and that a fresh install of WordPress using the existing database is enough, but in that case be extra vigilant of alterations, follow the rest of the above advice, and start taking regular backups!

    About Daniel Page — Daniel is the Director of Business Developement for ASEOhosting, a leading provider in SEO hosting and multiple IP hosting. Follow ASEOhosting on Twitter at @aseohosting.

  • Leave a Comment
  • Security Reminder: Upgrading Your WordPress Blogs

    While I was away over the weekend, it appears that a large number of bloggers who use WordPress have been hacked and a lot of damage has been done.  It seems this problem has shown up for a large number of people, including some very high profile bloggers.  Among them was Robert Scoble, whose blog was among those websites which were hacked.   Damages on Scoble’s site included porn information being placed in old posts, 2 entire months of content being deleted, and more.  Of course the porn then led to his blog being completely banned from Google!   Scoble is not the only one having these problems, however, and even lesser known bloggers have been attacked.  You can read more in this WordPress support forum thread.

    If you are wondering what the one thing all of these WordPress sites have in common, the problem is they were all using old versions of WordPress.   As someone that owns and operates well over 100 WordPress installations, I certainly understand the pain it can be to upgrade to the latest version of WordPress every time a new release happens, but I hope this goes to show why it is so important to take the time to upgrade all of your WordPress installations be using the most recent version of WordPress.

  • Leave a Comment
  • Tip: Use Caution When Shopping for a WordPress Theme

    Whether you are in the market for a new custom WordPress theme, premium WordPress theme, or a free WordPress theme, their is one often forgotten factor that you should be considering when shopping for a new WordPress theme.  That factor is the reputation of the theme author.

    Why is author reputation so important?   In addition to things like quality, theme support, etc., you’ve also got to worry about potential problems such as unknown links (these are usually hidden and could get your blog banned from search engines if discovered) and things like malicious code being run via your WordPress theme.

    Recently Viper007Bond wrote about a theme that was discovered with hidden links (not the same thing as sponsored links):

    What I found inside the theme’s footer.php file though was tons of malicious code. The entire contents of the file was heavily encoded (it was encoded with gzinflate(), str_rot13(), and base64_decode() around 150 times) and a ton of eval()’s. Since I was curious what it was doing, I wrote some PHP to decode it without using the nasty (and unsafe) eval()’s and I finally ended up with the HTML for the footer file (I assume to stop people from removing the code) and some more crazy eval() PHP code to display links to websites.

    Luckily the code was just there to insert links (although using such a theme is a good way to get banned from Google), the PHP could just as easily have stolen passwords and other things. Remember, themes are exactly like plugins — they can execute code. You wouldn’t download a random program off and Internet and run it on your PC, so why would you do it with a plugin or theme?

    So please, only download themes and plugins from reputable sites such as WordPress.org. If in doubt, don’t use it.

    The author cites QualityWordPress.com as the source of this theme, so I would recommend avoiding this site if you are looking for a new theme.

    Conclusion

    There is a good chance that no matter which theme you end up going with (free, premium, or custom) you are going to be fine, but author reputation is just one more thing that should factor into your decision.   Find a theme made by an author you can trust.  I’ve seen many situations over the past couple years where people unknowingly get banned from Google or run into other problems because they made a bad choice when picking their theme.

    Do you factor an authors reputation (word of mouth) and theme support into your decision before downloading/buying a WordPress theme?   I know I do and I also try to keep that in mind whenever I support a theme by adding it to our WordPress theme galleries.

  • Leave a Comment
  • Learn How to Secure Your WordPress Blog

    We hear almost every day about bloggers getting their login information comprimised.  Are you one of the many people that are growing increasingly concerned about their blogs security?

    If you are looking up ways to beef up the security of your WordPress blog, Make Tech Easier has posted a great article about 11 ways to secure your WordPress blog.  The post includes a few security tips we’ve already covered in past posts, plus a bunch of other great tips.

    Here is what information the post covers:

    • Encrypt your Login
    • Stop Brute Force Attack
    • Use a Strong Password
    • Protect your WP-Admin Folder
    • Remove WordPress Version Information
    • Hide your Plugins Folder
    • Change your Login Name
    • Upgrade to the Latest Version of WordPress and Plugins
    • Do a Regular Security Scan
    • Backup your WordPress Database
    • Define user Privilege

    Click over to get descriptions, plugin information and more!

    Got any tips to add?  Let us know in the comments below!

  • Leave a Comment