Chris La Nauze
I just receieved this urgent notice from my wholesale regards to a security threat that will effect most of us on here because we use wordpress. I run a webhosting reseller store and i prefer to give you some heads up before its too late, Im not sure where to place this warning so i will just paste it here. Here it is: "Dear Customers,
This is to notify you that there is an on-going and highly-distributed,
global attack on WordPress installations across virtually every web host in
existence.
This attack is well organized and again very, very distributed; we have seen
over 90,000 IP addresses involved in this attack.
At this moment, we highly recommend you log into any WordPress installation
you have and change the password to something that meets the security
requirements specified on the WordPress website. These requirements are
fairly typical of a secure password: upper and lowercase letters, at least
eight characters long, and including ?special? characters (^%$#&@*).
The main force of this attack began last week, then slightly died off,
before picking back up again yesterday morning. No one knows when it will
end. The symptoms of this attack are a very slow backend on your WordPress
site, or an inability to log in. In some instances your site could even
intermittently go down for short periods.
We are taking several steps to mitigate this attack throughout our server
farm, but in the same breath it is true that in cases like this there is
only so much that can actually be done.
The servers most likely will experience service interruptions because of the
high numbers of WordPress installations hosted, due to the incredibly high
load this attack has been seen to cause.
There are two nice features to disrupt brute force attacks:
1) Set-up a failed login limit. For example if the IP gets the login wrong
the plugin adds the IP to your blocked list for a set period of time. In
certain cases I have set it to block after 2 wrong attempts and to block for
an hour.
2) Change your login path. This feature changes the login path to a custom
one so that an attacker cant guess it. ie (mydomain.com/mysecretlogin1234)
It updates all the files automatically so you dont have to go editing the
.htaccess file yourself.
Thank you for your time and understanding regarding this matter."
Obviously the fixes arent applied to your accounts because noone here is hosted on my site, but if you tweak your htaccess files, do a backup of your site, and your database and save them to your computer, sett file permission for your htaccess to 444 not 644 so that noone can write to the file. There are some good securtiy plugins that can harden your admin area, like Better WP Security by bit51 look on wordpress plugins. I hope this prevents any wa user from losing your site.
Below are some of my favourite bookmarks to places on the web that really know what they are talking about when it comes to security.
Wordpress plugins:
http://wordpress.org/extend/plugins/better-wp-security/ my number one plugin i use on every site.
http://wordpress.org/extend/plugins/wp-ban/ to use in conjunction to fight against spam referers,
http://wordpress.org/extend/plugins/permalink-finder/ helps you find those people that realy are looking at your posts, i look at the 404's and then do an ip lookup, and if i dont like them ban them via ip address.
http://wordpress.org/extend/plugins/askapache-debug-viewer/ helps webmasters diagnose problems, only use if you know what your doing.
http://wordpress.org/extend/plugins/askapache-password-protect/ - I found this one last week and you must use with caution because it only does htacess blocking and you can ban youself. Note only apply one change at a time, so if you lock yourself out, loggin in via cpanel you know what rule to remove from the htaccess file to fix the problem.
http://wordpress.org/extend/plugins/timthumb-vulnerability-scanner/
Some sites where i find golden information with regards to hardening your website regardless of the framework, ie wordpress, joomla, html. etc.
http://perishablepress.com/how-to-block-proxy-servers-via-htaccess/ this is what i was reading last week but the main site has loads of information
http://perishablepress.com/
http://perishablepress.com/5g-blacklist-2013/ you should use this in your htaccess file, looking at my logs over the last 2 months most of these blocked items have being on it.
http://www.websitedefender.com/wordpress-security/htaccess-files-wordpress-security/
http://www.askapache.com/htaccess/htaccess.html - the ultimate resource.
http://www.warrenchandler.com/2013/04/01/how-to-stop-timthumb-hacks-using-htaccess/
http://www.webhostingtalk.com/showthread.php?t=1126530 - a great place that webmasters hang out and help fix eachothers problems.
I hope this helps most of you prevent this attack, For the complete noobs out there do the following, Log into wp-admin, go to plugins and search for Better WP Security or go to http://wordpress.org/extend/plugins/better-wp-security/ and download and then reupload via upload a plugin. Install it and activate, in you wordpress side menu there will now be a new tab labled security click on that and follow, the directions for fixing and hardening your wordpress site. At the end of the process, go back to the dashboard on this plugin, and scroll down it will show you your ip address and your servers write these down, and then go to the tab detect put your ip addresses in the 404 whitelist to prevent you blocking your self, and save. You will know be a lot better off. Then when ever you log into your site, go have a look at the log, if you don't like where people are looking or they have being looking at other regions of your site like wp-includes, wp-admin, etc. check there ip to make sure its not you (incase your on a dynamic ip) and block them and if its you add that new ip to your whitelist as well.
Hope this helps everyone who reads this.
Have a great day, Chris.
Recent Comments
5
Chris... thank you so much for sharing this info with us here and in chat. I really appreciate it!
Incase you are reading this and wanted to know the further discussions in wa chat, Here is a response i had to Rick Jantz over a brief post here https://my.wealthyaffiliate.com/scarlett1/blog/can-my-siterubix-admin-username-get-hacked My response was this: Hi Rick from reading that post, im not so sure, im sure they will have systems in place to prevent 99.9999% of attempts, kyle being an admin on this site, probably checked that users password, as he said "but yours will not be hacked". So if you have a basic password, your site is very vunerable, even more if you are using the default install user name of admin. What can you do, well if you have that user name this is what i would do use the plugin i suggested. or create a new admin user with a username that is hard to break i tend to use a password generator for my username and a new one for my password. Very hard to crack, then log in with the new one and delete the user admin. To lessen you problem i would then change the nickname and screen name back to your names, Its a common technique to look for the authors on the site and use the author name as the username, and then all they have to do is bruteforce the password. Also you should learn how to disabled warning notifications above the login screen, because this proves whether the username their trying to use exists. Ie go to your login screen, if you type username admin and the wrong password, if you get a warning message in red saying the password or username was incorrect for the user admin, the system has just proved that the user admin exists. If these messages are disabled they wont get that. I have got it set that if there is two in a row bad logins from a ip address they get banned from the site for 3months, and because i look at the logs every couple of days, i add the ip address to my permentant ban, if i see anyone trying to log into my admin area. There should only be one person on my site in the admin area and that's me, or my clients, if it is their site.
See more comments
Chris thanks a lot. It will help us timely.
private message me your website url and ill have a look now, my ip is 49.3.31.155 static from australia, so if you see that its me!