Important WordPress Security Update

FacebookTwitterGoogle+LinkedInDiggEmail

If you’re a customer who uses WordPress, you have probably already noticed the issues concerning logging into your WordPress control panel.

We wanted to send out this notification to alert anyone who hasn’t been briefed on the situation, as well as give some additional explanation about what is going on, how we’re handling it, and why we’re handling it in this manner.

  • A global brute force attack on WordPress’ wp-login.php file began on April 11th. This attack affected WordPress users worldwide and was experienced by virtually every web hosting company.

    • A ‘brute force’ attack is when an automated program (sometimes referred to as a ‘botnet’) repeatedly attempts to log into a password protected site by trying different passwords over and over again until it finds the right one.
  • We implemented a server side check to reduce the number of wp-login requests, but found that the attack started to increase the time between login attempts.
  • On April 12th, we noticed the botnet activity ramped up dramatically, and we were forced to block all traffic to wp-login pages. This was a temporary solution that remedied the brute force attack in the following ways:

    • Customer WordPress sites were able to stay up and running
    • All incoming brute force requests were stopped
    • This also kept out any unwanted, malicious intrusions into our customers’ sites
    • By blocking the malicious incoming traffic, it also stopped the slowness issues we were having on our Linux servers.

In the meantime, we began collecting attackers’ IPs so we could start blocking them.

  • On April 13th, we began using the data we’d collected on the attackers’ IPs to begin blocking them from connecting to our servers. This was a slow process that took time to refine and put in place as a permanent solution.
  • On April 16th, we removed the block on each server for wp-login once the new system was implemented across all of our servers. Users should now be able to log into their WordPress sites. Once you log in, we recommend that you change your password to something very strong (e.g. a mixture of upper and lowercase letters, numbers, and special characters like #, $, and &). You can find instructions on how to change your password here: http://codex.wordpress.org/Resetting_Your_Password.

The tactics used in the attack are changing daily (sometimes even hourly), and we are responding with adjustments of our own. While we currently have the situation under control, we are still watching and reacting to the attack to make sure it doesn’t begin affecting our servers again.

Although we can’t announce too many details about our attempts to block the attack (because we don’t want to give too much information to the attackers), we still want you to know that we are aware of the situation, and are working on it. Keep an eye on the status blog for major updates as the situation progresses.

Thank you for your patience as we continue to defend against this attack.

Sincerely,

Lisa Grice

Director of Customer Operations

IX Web Hosting

FacebookTwitterGoogle+LinkedInDiggEmail

18 Comments to "Important WordPress Security Update"

  1. Tim Anderson -

    Yes I noticed these ISPs below over the last week trying to login to wordpress files that do not exist on my site. ALL requests for these wordpress files from my sites are ALL FROM CHINA based IPs. My pages are static html. Another organised attack from China, a small group of IPs though from my logs.

    The IP 220.180.62.186 from China has attacked my site many times.
    110.85.69.57 is also from China.
    120.33.241.121 is also from China.
    121.205.248.58 is also from China.

    110.85.69.57 – – [07/Apr/2013:03:19:53 -0400] “GET /Dogstar/wp-login.php?action=register HTTP/1.1″ 302 234 “http://www.hereticpress.com/Dogstar/” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1;)”
    server56743.uk2net.com – – [07/Apr/2013:13:37:04 -0400] “GET //wp-login.php HTTP/1.1″ 302 234 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)”
    server56743.uk2net.com – – [09/Apr/2013:22:16:39 -0400] “GET //wp-login.php HTTP/1.1″ 302 234 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)”
    falcon506.startdedicated.com – – [12/Apr/2013:02:40:20 -0400] “GET /wp-login.php HTTP/1.1″ 302 234 “-” “curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.13.1.0 zlib/1.2.3 libidn/1.18 libssh2/1.2.2″
    120.33.241.121 – – [12/Apr/2013:18:00:08 -0400] “GET /phpBB3/wp-login.php?action=register HTTP/1.1″ 302 234 “http://www.hereticpress.com/phpBB3/” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1;)”
    121.205.248.58 – – [13/Apr/2013:12:38:20 -0400] “GET /Dogstar/wp-login.php?action=register HTTP/1.1″ 302 234 “http://www.hereticpress.com/Dogstar/” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1;)”
    server56743.uk2net.com – – [13/Apr/2013:22:05:37 -0400] “GET //wp-login.php HTTP/1.1″ 302 234 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)”
    220.180.62.186 – – [14/Apr/2013:17:19:39 -0400] “GET /Dogstar/wp-login.php?action=register HTTP/1.1″ 302 234 “http://www.hereticpress.com/Dogstar/” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1;)”
    91.239.15.176 – – [14/Apr/2013:17:38:52 -0400] “GET /wp-login.php HTTP/1.0″ 302 222 “-” “Opera/9.80 (Windows NT 6.1; U; ru) Presto/2.8.131 Version/11.10″

    • IX: Robyn M. - -

      Hi Tim,

      Thanks for the info! Yes this attack has been coming from quite a few IPs. We have heard a number of about 90,000!

  2. Mohamed -

    All user use Complex password in E-mails Accounts

  3. Very concerning that there is no mention that you will locate these people and prosecute them to the full extent of the law. Why is there no mention of that?? Seems to be a huge oversight I hope, unless you are planning on doing nothing. If that is the case I need to find a better web hosting site.

    • IX: Lisa G. - -

      Bill, Unfortunately this was a global attack, many companies and countries were under attack. The proper authorities are looking into it.

      Lisa Grice
      Director of Operations.

  4. We need stronger password functionality for all services, especially FTP. Likewise, SFTP support and database server certificate support would be greatly beneficial in stopping all kinds of attacks.

    Also, you may want to consider what I mentioned earlier in a support ticket about a similar issue.

  5. I use fail2ban to automatically block IPs that attempt to ssh to my rackspace servers and fail 5 times within 5 minutes. I’ll take a look to see if there’s a way to modify it to also respond to failed attemts to login to my WP sites. ( anyone know how to do that? Is there a WP plugin for that?)

    Also, how about changing the name of the wp login file? And adding the .htaccess to limit access to the follow-on login pages to referrers from my own site?

    • Brooke Testerman - -

      Ed,
      There is a WP plugin that uses fail2ban but it would not be very helpful in this situation because of the large number of IP’s involved in this attack (some are saying more than 90,000). So, even using fail2ban, this attack could use a different IP every second for 24 hours or longer and they would have to have multiple login failures to even make the list.

      Both of your other options, changing the wp login file and adding a .htaccess file could be effective in the short term, but the attack could easily change tactics and bypass those changes, so we wouldn’t recommend it for a long-term solution.

      • Brooke & Ed,

        I use an hierarchical approach, starting with single IP’s, then by subnet mask starting with 255.255.255.0 when more than a threshold are banned in that subnet, then up to 255.255.0.0 when too many 255.255.255.0 masks are banned, and so on up to class A networks. This takes care of both DHCP ranges and widely distributed botnets without having too much of a performance hit.

        After a subnet is blacklisted, I work with the administrators of the blacklisted IP ranges to help them remove the malicious traffic from their networks. Currently, I’m redesigning my site. When the updated site launches, I’ll be offering my blacklist service free of charge in return for links back to my site. As the number of people using my blacklist service to protect their websites increases, network administrators will be increasingly forced by their legitimate users to eliminate sources of malicious traffic from their networks.

        You can think of it as an Internet Quarantine Protocol, the CDC of the net. If a similar method were implemented at the network layer by all tier ISPs, it would be even more effective at stopping malicious traffic.

  6. There’s a lot of press on this issue:

    http://krebsonsecurity.com/2013/04/brute-force-attacks-build-wordpress-botnet/

    What’s being done to stop outbound traffic from compromised wordpress sites? Many times, the back-doors are going to be left functional even after the user has changed their password.

    Please monitor the outbound traffic from every site using WordPress for suspicious behavior until you’re 100% certain the sites are clean.

    • IX: Lisa G. - -

      Shannon,

      We are taking all steps to fully contain the affects of this attack.

      Lisa Grice
      Director of Operations

  7. How can we tell if we use wordpress?

    • IX: Robyn M. - -

      Hi Peter,

      The easiest way to tell is through the config file. If you look at the config file and it is called wp-config.php or mentions WordPress in it, it should be WordPress.

  8. I always recommended IX Webhosting to clients but after feeling the wrath of the these brute attacks I don’t feel the same way anymore. I had to go to a dedicated server due to this issue since all my sites our on WordPress.

    • IX: Steven A. - -

      Hi Anthony,

      These attacks have been targeting WordPress sites all over the world and not just the ones hosted on our servers. The admins have implemented their solution to the attacks and access to accounts are working normally. There is no way to prevent attacks of this nature and that is the truth for all web hosts. When an issue like this arises we alert our customers and find the quickest way to safely resolve the situation. Please do not feel that our servers are more vulnerable than any other and if you have some specific questions about our security please contact us directly so we can address them in greater detail.

  9. Rename the admin account. What I have read is that attacks are on the admin account. Rename it and the attempts will all fail regardless of the password. Then they are just eating up bandwidth.

  10. Injustice to loyal customers
    We are customers at ixwebhosting.com from 6 1/2 years. We have a few sites hosted here.
    Today one of our site received about 20,000 visitors in a span of about 20 hours.
    During this time not more than 3000 (approx) visitors came during one hour.
    These visitors too appeared to them as an DDOS attack and they closed the site. Inspite of giving all details to them they are not ready to release the site.
    So this is the treatment given to loyal customer of more than 6 1/2 years.
    It appears people at ixwebhosting cannot tolerate even a few visitors on sites hosted there. SAD INDEED.

    • IX: Omari J. - -

      @Anubhav

      I apologize about the frustration you have experienced, but this is the process we use to stop DDoS attacks to certain IP addresses on the server. Unfortunately we are unable to stop the incoming IPs because there are so many different ones hitting the server at once. We do this with all customers and only for a certain duration of time and that depends on the number of requests to that IP. Once the duration of time has lapsed the filter is lifted and things return to normal. I hope I was able to clarify any confusion you may have experienced and we are here 24/7 to answer any further questions you may have.

We're Always There When You Need Us The Most!

Your Dedicated Support

At IX, we take care of our customers. And dedicated support is one of the ways we prove to you again and again that we are here to help you every step of the way, regardless of your skill level. With IX dedicated support, you get a support technician personally assigned to assist you. You get their name, number, email, social media connections, and work schedule! It's just one more facet of our service which proves our deeply rooted belief that being a great hosting provider requires more than just cutting-edge technologies, but the best in support and service.