Thursday, April 11, 2013

Global Wordpress Brute-force Attacks

Your Wordpress site is under attack right now

Right now there is a very severe and global attack on all Wordpress sites on the Internet.

New status update on the Wordpress attacks as of 11pm Eastern time April 12, 2013.

UPDATE: It seems everyone is advising people to install either Limit Login Attempts or a Wordpress Security Plugin. DO NOT DO THIS. This will not only fail to block the attack, it could crash your server. These attacks come in too fast from too many IP addresses. Please follow this guide instead.

Update 2: Matt Mullenweg, the creator of Wordpress, has confirmed that plugins should NOT be used in this situation:

Most other advice isn’t great — supposedly this botnet has over 90,000 IP addresses, so an IP limiting or login throttling plugin isn’t going to be great
- from TheNextWeb: Brute force attacks on Wordpress continue...

Update 3: They are now providing the correct HTTP_REFERER value, so the htaccess blocking is not always effective.

This is not a joke or a hoax - your site is at risk and may be hacked and sending spam right now.

What all Wordpress site owners need to do right now on all sites

If this is all greek and you don't have a webmaster or developer that can help - call 1-800-926-6167

  1. Immediately change your passwords to the Wordpress admin area, FTP, any control panels, and all email accounts
  2. Your password should be at least 30 characters and MUST have all of: uppercase and lowercase letters, numbers, and special characters. A good way to come up with a strong password that you can still remember is take a long phrase, song lyrics, a poem, similar, and replace certain letters with uppercase, numbers, and special characters.
  3. for example the relatively strong password: th1$l1ttl3p1ggy$3cur3dth31rW0rdpr3$$$1t3 is simply "thislittlepiggysecuredtheirWordpresssite" with i->1, s->$, e=3, and o->0 (zero)
  4. Scan your computer for viruses, keyloggers, rootkits, and botnet software
  5. Do the same scans for any computer that has had access to your site admin area
  6. Update Wordpress and all plugins to the latest versions

Add this to the .htaccess file in your document root (public_html, www, htdocs, etc)

This is in order to stop direct automated attempts to log in to your site:

NOTE: Replace example.com below with your domain (leave the ?. before it and everything else)

<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_METHOD} =POST
RewriteCond %{HTTP_REFERER} !^http://(.*)?.example.com [NC]
RewriteCond %{REQUEST_URI} ^/wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^/wp-admin$
RewriteRule ^(.*)$ - [R=403,L]
</IfModule>

Now you are going to change the admin username to something difficult to guess

Log into Wordpress admin with your new secure password and follow this guide to change the admin username:

How to change Wordpress admin username

The attackers are simply going through and using a lot of computing power to "guess" the password for the user "admin" - if that user is not there, it will make it no longer worth the computing effort required to guess both the username and password.

Now the most unfortunate part is that these attacks may have actually "hacked" your Wordpress site, meaning you may not know it but someone could be using your account to send spam or even attack other sites.

I recommend having someone familiar with Wordpress look through the site as well as look at the files themselves. If you see anything out of the ordinary on the site like a large amount of spam, certain links redirecting (usually to sites you don't want people going to from your Wordpress blog), or especially files and plugins that are shown in FTP / File Manager (in the wp-content/plugins directory) but are NOT listed in "Plugins", you will need to clean the hacks.

The simplest way to clean up a hack is essentially to "quarantine" the whole site and rebuild, but frequently much of the site can be salvaged.

Basically you will need to download and install the latest version of Wordpress via FTP, copy just the important parts of your wp-config.php from the hacked folder to hook up the database, and re-install clean copies of your theme and plugins. If you are using timthumb in your theme or any plugins, now is a good time to pick a new theme that uses the built-in Wordpress image thumbnails as well as trim down your collection of (potentially vulnerable) plugins.

How do I know the above is (part of) a Wordpress hack? I know exactly what to look for to find even the most well-disguised hacks, but this one is simple - eval and base64 decode together are almost always bad news.

Now for the plugins to install on all Wordpress installations. Search for these from Plugins->Install or click to download.

If you get stuck on any of this or you think your site is still hacked (or hacked again), get help. If all else fails - Call A Developer @ 1-800-926-6167

Further Reading

Remember if you need help, call 1-800-926-6167 - on a mobile phone this site will show a green Phone button at the bottom - click it to call us. Be sure to save the number as "Call A Developer"

Peter Stolmar is a Linux Systems Administrator specializing in system security including fixing hacked websites, defending against large scale attacks, and educating users on the importance of "thinking secure".

69 comments:

  1. Judging by the logs, the hackers have got wise to the .htaccess mod as they now include the correct referer

    ReplyDelete
    Replies
    1. Thank you for the info, that is not a good sign. They are adjusting tactics for any change in the environment. I'll try to think of other ways to protect the sites, although setting a very strong admin username and password are currently the main line of defense.

      Delete
    2. wordpress development company in usa come up with impressive solutions and
      we are professional web developer and WordPress experts
      who deliver their best services.

      Delete
  2. I don't think WP-Optimize has Security Tools anymore.

    It has on its Changelog :
    0.9.3 - Removed security tools.

    ReplyDelete
    Replies
    1. Noted thank you, I have updated it with a guide to simply create a new user with admin rights and delete the old admin.

      Delete
  3. I want to see if my blog is on the receiving end of a brute-force cracking attack. What should I be looking for in my server logs?

    ReplyDelete
    Replies
    1. Look for wp-login.php in the access log, usually in groups of a handful of attempts, often from different but similar IPs. Keep in mind your IP will have wp-login.php entries - don't block that. To check your IP you can use http://fetchip.com

      Delete
  4. Yesterday I installed Better WP Security plugin to change my admin name and it has few more features, one of those is lockout after X failed login attempts. I thought this probably doesn't happen on my blog but I turned that feature on just to be on the safe.

    Today, not even 24h since I installed the plugin I already received email notification, that one lockout has occurred due to too many login attempts.

    ReplyDelete
    Replies
    1. I normally don't recommend plugins for this due to the additional CPU usage, but I see that Better WP Security has an option to actually change the wp-login URL - please do that right away. This seems like the best way right now to actually stop the attack. Look for the option "Security/Hide Backend".

      Delete
  5. How can the .htaccess rewrite rules be made to work with Microsoft IIS?

    ReplyDelete
    Replies
    1. Unfortunately they've gotten around the REFERER checks - best thing to do now is block all IPs except your own (or your admins / developers) from both wp-login.php and wp-admin folder (Note: this may break plugins and you may need to allow 127.0.0.1 or your servers external IP):

      "1. Add an allow rule and specify the IP you want to grant access to the
      site.

      2. Click Edit Features Settings. Select Deny access for unspecified
      clients."

      - http://objectmix.com/inetserver/735010-block-all-except-1-ip-iis-7-a.html

      Delete
  6. My website is on Westhost.com and has been down for 16 hours. I've also been unable to access these Wordpress hosts: Dreamhost.com - GoDaddy.com - Bluehost.com - Justhost.com
    Have they been shut down?
    Thanks,
    Jim

    ReplyDelete
    Replies
    1. The sites were actually offline? My Wordpress sites were up, but many hosts have blocked the Wordpress login page or temporarily disabled logins if the page was under attack. However if the attacks were not mitigated or the attackers got around the next set of countermeasures, it is quite possible the attack itself was the reason sites were inaccessible.

      Also - are others saying your site is down? It is possible that your computer was infected during this attack with a very nasty rootkit (TDL3 / TDSS) - in this case you would not be able to access some sites.

      Delete
  7. The .htaccess is ineffective. I've taken my Wordpress sites down and pointed the domains to a "sorry we're unavailable..." html file for the time being.

    If I bring the site back, they work...for about 10 minutes, then the attacks resume. I did log into the database and manually changed the admin logins. But without the interface, it's difficult to change the password.

    ReplyDelete
  8. I feel like you have left out a lot of things:

    1) Change the user ID of administrator from 1 to something like 19878973.
    2) Use strong password generator to change the administrator username and password.

    http://strongpasswordgenerator.com/

    3) Use .htaccess to password protect the entire administration area. An example of how to password protect wordpress login page is:

    http://support.hostgator.com/articles/specialized-help/technical/wordpress/wordpress-login-brute-force-attack

    This will annoy and prevent 50% of attackers while not chewing up server resources.

    4)Renaming wp_content directory to another name using:

    define('WP_CONTENT_DIR', '/home/username/public_html/2893' );
    define('WP_CONTENT_URL', 'http://www.example.com/2893' );

    Remember not to include a trailing slash.

    That should stop a lot of automated scripts.

    5) Finally installing a captcha on all comment, contact and login/register/forgot password pages

    Now you know that when your hacked they really wanted to get you personally.

    ReplyDelete
  9. Great information on this blog including with useful comments I like this blog very much.
    PHP developers | Offshore Software Development

    ReplyDelete
  10. Looking great article and very informative one it’s very useful for us. Thank you!\
    Cheap Website Design Services

    ReplyDelete
  11. Home Wellbeing has a wide range of One Stop Home Essentials products that care for the wellbeing of You and Your Loved Ones.

    ReplyDelete
  12. Thank you for this very helpful article. I am unsure what you are advising about plugins though.

    At the beginning you say:

    "UPDATE: It seems everyone is advising people to install either Limit Login Attempts or a Wordpress Security Plugin. DO NOT DO THIS. This will not only fail to block the attack, it could crash your server. These attacks come in too fast from too many IP addresses. Please follow this guide instead.

    Update 2: Matt Mullenweg, the creator of Wordpress, has confirmed that plugins should NOT be used in this situation"

    Later on you say,

    "Now for the plugins to install on all Wordpress installations. Search for these from Plugins->Install or click to download . . .


    Stop Spammer Registrations
    Limit Login Attempts
    Ban Hammer
    Wordpress File Monitor Plus
    Spam Free Wordpress
    W3 Total Cache (if you don't have this or SuperCache already - don't use both)"

    Does the UPDATE at the top over-ride the advice to install these plugins? Or are you advising that they should be installed after the other actions you recommend?

    ReplyDelete
  13.  Thanks for updating me onto this information. This is really important.
    Wordpress Development Company

    ReplyDelete
  14. Thanks for sharing this edition with us ! Information regarding Wordpress given in this edition is truly beneficial for an experienced or novice wordpress designer and individuals deals in web designing industry.

    Really an informative edition !

    ReplyDelete
  15. Hey my friends I tell you some tips. A simple website design shouldn’t be a daunting all-or-nothing ordeal – you can simplify your design by taking small steps. Simple tasks like putting the focus only on the essential elements of your website, getting rid of the unnecessary, reducing the number of pages your site has, getting more content above the fold, and limiting the number of colors you use. You can always fine-tune and improve your simple design, but the important thing here is to get started.
    Newcastle Web Design

    ReplyDelete
  16. Hrm - since they've gotten smarter, I think your stuff is now out-of-date?

    And with ?author= requests, they can get the appropriate username, unless you block those accesses (so changing the username doesn't help).

    RewriteCond %{QUERY_STRING} ^/?author=([0-9]*)
    RewriteRule .* - [F]


    I haven't implemented the referrer stuff, since I've heard that it doesn't matter any more, right?

    For some of my installations, I've been able to simply block all accesses to wp-login.php to specific subnets that the admin uses, but I've got one site where I have users who login (though they don't have access to the admin area), and various plugins and the core access URIs within /wp-admin area, so I can't block the whole directory like I thought I'd be able to do.

    The whole thing seems pretty tricky.

    ReplyDelete
  17. Interesting knowledge is provided by the author to make us aware about the optimum quality Wordpress Web Design services through which one can present his/her website in a much alluring manner. Presently, countless firms are employed in this profession who can provide all such related benefits to us.

    ReplyDelete
  18. Balliro Commerce Group offers premier design and development services. website developer

    ReplyDelete
  19. This comment has been removed by the author.

    ReplyDelete
  20. I work for a webhosting company and we're being slammed with these damn attacks daily. In our searching and frustration we have found that this code in .htaccess of the wordpress directory completely stops any attacks because it requires the user to input their own IP and blocks all other attempts with a 403 - Forbidden. Since I was researching more ways to curtail this insanity, I thought I would share:

    This part has to be put back together (No spaces after and before the brackets "<,>", as Blogger doesn't seem to like code:

    < FilesMatch wp-login.php >
    Order Allow,Deny
    Allow from 123.123.123.123 (replace with YOUR IP)
    #Allow from 123.123.123.121 additional lines can be added from multiple IP access
    #Deny from all
    < /FilesMatch >

    ReplyDelete
  21. this worked for me because www was getting through

    RewriteEngine on
    RewriteCond %{REQUEST_METHOD} =POST
    RewriteCond %{HTTP_REFERER} ^example.com$ [OR]
    RewriteCond %{HTTP_REFERER} ^www.example.com$ [OR]
    RewriteCond %{REQUEST_URI} ^/wp-login\.php(.*)$ [OR]
    RewriteCond %{REQUEST_URI} ^/wp-admin$
    RewriteRule ^(.*)$ - [R=403,L]


    i've also noticed the same IPs started using GETs to me seemed like a check to see if the file existed.

    ReplyDelete
  22. The main things of wordpress developer is make a unique idea for the web page development and that web page should be impressed to who are visiting that web page.
    Web Designing Company Bangalore

    ReplyDelete
  23. Some people know only what is wordpress development.But they don't know the full applications and usage of that.If they try to know about that full details regarding wordpress development,that should become good level.
    Website Development Bangalore

    ReplyDelete
  24. Thanks for sharing this information with us. It's really helpful.

    http://www.psdtowordpressexpert.com/

    ReplyDelete
  25. Thank you sharing this information thank you.Come back again for more interesting stuffs like one you got earlier! Bulk SMS in India

    ReplyDelete
  26. Thanks so much for this helpful information come back again for more interesting information…Keep it up
    Builders in Agra

    ReplyDelete
  27. Great! It's a awesome post. It will definitely helps wordpress developers.

    http://www.emailchopper.com

    ReplyDelete
  28. Nice blog! Very interesting and informative post….Thank's for sharing such a nice information….Keep it up!!! Website Designing in Agra

    ReplyDelete
  29. The information of this blog is really nice.I am very glad to read this useful information from your blog.
    Outsourcing Website Design

    ReplyDelete
  30. It is a little complicated for me to understand how and why.
    And I will check it for another once. Thank you for showing me something new.
    in return, I would like to show you some responsive wordpress themes. Hope you like them.

    ReplyDelete
  31. This comment has been removed by the author.

    ReplyDelete
  32. Thank you for sharing such a wonderful and informative post. I had to look for wordpress developers for hire just to solve issues on my WordPress site. It's a disaster actually so I had to look for a professional to help me out right away.

    ReplyDelete
  33. Your blog is very helpful to know the recent information about wordpress.I really grateful to you for always updating the useful information regarding wordpress.
    Web Design Company Bangalore

    ReplyDelete
  34. The blog posted is very interesting from all aspects and it will surely benefit the readers by all means.
    Hire Magento Developers

    ReplyDelete
  35. Hey nice blog,Thank's for this helpful information come back again for more interesting information…Keep it up!
    Taxi in Agra

    ReplyDelete
  36. I really thankful to you for this great read!! You did a very great job, keep it custom wordpress development

    ReplyDelete
  37. Thanks for great information you write it very clean. I am very lucky to get this info from you.
    Wordpress Developer

    ReplyDelete
  38. You can buy premium wordpress themes and plugins from woopremium http://woopremium.com/

    ReplyDelete
  39. This comment has been removed by the author.

    ReplyDelete
  40. Thank you a lot for this wonder-full post! This post is really really good. It has excel information that I really needed to complete my project. And I want to thank you for that!
    Dunedin Web Designer

    ReplyDelete
  41. Webzin Infotech Offers web design services with a budget that suits your pocket..Get a free quote : Web Design Company India

    ReplyDelete
  42. As a web development and design service provider Webzin Infotech provides optimum solutions to customer by helping them to achive there goals and make available there services and products in the online market.

    ReplyDelete
  43. Judging by the logs, the hackers have got wise to the .htaccess mod as they now include the correct referer.....
    Web designing

    ReplyDelete
  44. WEBZIN INFOTECH provides an excellent reliable web designing services at affordable prices.

    ReplyDelete

  45. Webzin Infotech is a Professional web development and design company in India offering custom web design ,web development and Seo services.

    ReplyDelete
  46. Webzin Infotech is a leading Indian Web Design and Development Company specialized in professional and innovative website design, web development, e-commerce solutions.
    Webzin

    ReplyDelete
  47. Webzin Infotech is a web service company, offering a wide range of services that covers almost all fields in the best possible way And custom website design sevices that are sharply focused on your business goals and tailored to fit your budget.
    Webzin Infotech

    ReplyDelete
  48. Webzin InfoTech is one of the leading SEO companies in India incorporates goal oriented Search Engine Optimization services to achieve higher search engine rankings. Experienced SEO experts prepare a structured and measurable business promotional campaign that incorporates all the factors involved in SEO process to deliver an effective online presence for your business.

    ReplyDelete
  49. Webzin InfoTech is a complete Web Design Company in India offers customer oriented high quality web designing services & deliver them effectively. Whether you are a small business or a large corporate, and can help you achieve a unique online presence to give cutting edge web design solutions to your business.

    ReplyDelete
  50. Your site doesn't need to win best attractive design site awards, but it must have an industry-appropriate, up-to-date, search engine friendly, branded design if you want your business grow seriously Webzin InfoTech help you
    Web Design & Development

    ReplyDelete
  51. Website is an major importance in today’s business world .if you have business you should create a seo friendly site which gain your business and reputation so you can hire a best designer at webzin.infotech.

    Web Development India

    ReplyDelete
  52. Great information on this blog i really like this blog.
    join us

    ReplyDelete
  53. I was looking for such a blog that can provide me complete information about the web design services. Website designing is a process that requires expert hands. Any business planning to have a website created should seek the services of high-end website designing agencies.
    seo company bangladesh

    ReplyDelete
  54. We provide Custom Wordpress Design, custom themes and wordpress plugin development specializing in quality wordpress development. Service include using.
    Custom Wordpress Design
    Hire Wordpress coder

    ReplyDelete
  55. Thank you!
    I enjoyed your blog post on responsive design as well, thank you for sharing.

    Psd to responsive | Convert Psd to responsive

    ReplyDelete