April 16th, 2013 by IX: Lisa P.
If you’re a customer who uses WordPress, you have probably already noticed the issues concerning logging into your WordPress control panel.
We wanted to send out this notification to alert anyone who hasn’t been briefed on the situation, as well as give some additional explanation about what is going on, how we’re handling it, and why we’re handling it in this manner.
- A global brute force attack on WordPress’ wp-login.php file began on April 11th. This attack affected WordPress users worldwide and was experienced by virtually every web hosting company.
- A ‘brute force’ attack is when an automated program (sometimes referred to as a ‘botnet’) repeatedly attempts to log into a password protected site by trying different passwords over and over again until it finds the right one.
- We implemented a server side check to reduce the number of wp-login requests, but found that the attack started to increase the time between login attempts.
- On April 12th, we noticed the botnet activity ramped up dramatically, and we were forced to block all traffic to wp-login pages. This was a temporary solution that remedied the brute force attack in the following ways:
- Customer WordPress sites were able to stay up and running
- All incoming brute force requests were stopped
- This also kept out any unwanted, malicious intrusions into our customers’ sites
- By blocking the malicious incoming traffic, it also stopped the slowness issues we were having on our Linux servers.
In the meantime, we began collecting attackers’ IPs so we could start blocking them.
- On April 13th, we began using the data we’d collected on the attackers’ IPs to begin blocking them from connecting to our servers. This was a slow process that took time to refine and put in place as a permanent solution.
- On April 16th, we removed the block on each server for wp-login once the new system was implemented across all of our servers. Users should now be able to log into their WordPress sites. Once you log in, we recommend that you change your password to something very strong (e.g. a mixture of upper and lowercase letters, numbers, and special characters like #, $, and &). You can find instructions on how to change your password here: http://codex.wordpress.org/Resetting_Your_Password.
The tactics used in the attack are changing daily (sometimes even hourly), and we are responding with adjustments of our own. While we currently have the situation under control, we are still watching and reacting to the attack to make sure it doesn’t begin affecting our servers again.
Although we can’t announce too many details about our attempts to block the attack (because we don’t want to give too much information to the attackers), we still want you to know that we are aware of the situation, and are working on it. Keep an eye on the status blog for major updates as the situation progresses.
Thank you for your patience as we continue to defend against this attack.
Director of Customer Operations
IX Web Hosting