Wordpress under attack

Visitors can check out the Forum FAQ by clicking this link. You have to register before you can post: click the REGISTER link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. View our Forum Privacy Policy.
Want to receive the latest contracting news and advice straight to your inbox? Sign up to the ContractorUK newsletter here. Every sign up will also be entered into a draw to WIN £100 Amazon vouchers!

You are not logged in or you do not have permission to access this page. This could be due to one of several reasons:

You are not logged in. If you are already registered, fill in the form below to log in, or follow the "Sign Up" link to register a new account.
You may not have sufficient privileges to access this page. Are you trying to edit someone else's post, access administrative features or some other privileged system?
If you are trying to post, the administrator may have disabled your account, or it may be awaiting activation.

lilelvis2000 replied

16 April 2013, 19:17
Originally posted by NickFitz View Post

I believe so. It's a botnet that's crawling all over the web looking for WordPress sites, so if it hasn't visited yet that doesn't mean it won't eventually. At the moment though all it does is try to brute-force the password for the account named "admin", so if your administrator account has a different name it won't get anywhere. Good passwords will keep it out, but the problem is if it thinks there's an account called "admin" (from the message it gets when it's rejected, I assume) it'll keep trying for ages, amounting to a massive DDOS against the site.

I noticed a massive spike on my site around 3 weeks back. Suspect it was this bot. In my case there was a spike of about 400 visits in one day. The usual number is about 150.
Leave a comment:
lilelvis2000 replied

16 April 2013, 19:15
I have WP and have ditched the admin account. I also attribute the posts to another user account which has minimum capabilities.

That seems to have kept my site safe so far.
Leave a comment:
NickFitz replied

16 April 2013, 19:11
Originally posted by Cliphead View Post

I have a number of WP sites all with hardened security. Google Analytics doesn't show unusual traffic. Is this attack still ongoing?

I believe so. It's a botnet that's crawling all over the web looking for WordPress sites, so if it hasn't visited yet that doesn't mean it won't eventually. At the moment though all it does is try to brute-force the password for the account named "admin", so if your administrator account has a different name it won't get anywhere. Good passwords will keep it out, but the problem is if it thinks there's an account called "admin" (from the message it gets when it's rejected, I assume) it'll keep trying for ages, amounting to a massive DDOS against the site.
Leave a comment:
Cliphead replied

16 April 2013, 18:58
I have a number of WP sites all with hardened security. Google Analytics doesn't show unusual traffic. Is this attack still ongoing?
Leave a comment:
NickFitz replied

16 April 2013, 18:51
Originally posted by Jessica@WhiteFieldTax View Post

One basic additional thing I've done though - and in retrospect it seemed so basic that I don't know why I didn't do it before - is to loose the "admin" user name.

This is, it seems, the single most important thing to do in the face of this attack. Here's some wisdom from Matt Mullenweg, creator of WordPress, on the matter; and an explanation of how to go about it, including the all-important step of changing attribution of existing posts so they don't disappear: Change your WordPress admin Username

Do remember to backup your database first, too

EDIT: done mine Would have gone more smoothly if I'd remembered the bit about logging out, then back in as the new administrator - turns out WordPress won't let you delete the user you're logged in as

Last edited by NickFitz; 16 April 2013, 19:23.
Leave a comment:
ThomserveBAS replied

16 April 2013, 11:23
Originally posted by SimonMac View Post

I assume like the majority of attack these day's people exploit the laziness or lack of knowledge that most people have, I am using WordPress › Better WP Security « WordPress Plugins to take the basic vulnerabilities away

Thanks for the tip about Better WP Security - I've installed it on my network of sites so hopefully improved security a little.
Leave a comment:
Jessica@WhiteFieldTax replied

15 April 2013, 13:52
I run our firms web site in WordPress.

I have an alert on bogus logins, and last week in went into overdrive Fortunately I have security plugins, including IP banning after 5 incorrect logins.

One basic additional thing I've done though - and in retrospect it seemed so basic that I don't know why I didn't do it before - is to loose the "admin" user name.

But brute force is difficult to resist. Interestingly another WP site I administer had only 1/10th the number of bogus logins. Its older, but less content and less prominent on search engines.
Leave a comment:
administrator replied

15 April 2013, 13:38
From the article:

..those responsible for this crime campaign are scanning the Internet for WordPress installations, and then attempting to log in to the administrative console at these sites using a custom list of approximately 1,000 of the most commonly-used username and password combinations.

So they are just using brute force - no new-found security flaws with WP, just bad password management.
Leave a comment:
Sysman replied

15 April 2013, 12:11
Originally posted by SimonMac View Post

Its like the old story about Mac's not needing Anti Virus because there are less of them so they are less appealing targets for hackers etc. One vulnerability on a system with hundreds of millions of users is a better return than dozens of vulnerabilities on a system with a few thousand users.

It depends what the bad guys' aims are.

Stuxnet demonstrated that for high value or strategic systems it can be worth a lot of effort targeting relatively few systems.
Leave a comment:
SimonMac replied

15 April 2013, 11:19
Its like the old story about Mac's not needing Anti Virus because there are less of them so they are less appealing targets for hackers etc. One vulnerability on a system with hundreds of millions of users is a better return than dozens of vulnerabilities on a system with a few thousand users.
Leave a comment:
d000hg replied

15 April 2013, 10:57
Originally posted by yasockie View Post

Custom or less popular systems are not really any more or less secure, they're just less popular so that there is less incentive to attack them..

I think in general they are very much less secure because they don't have all the holes found and fixed, and they don't have a team continually working on them and rigourously testing the security.
Leave a comment:
yasockie replied

15 April 2013, 10:30
or get Wordpress hosted on wordpress.com or even get wordpress VIP (see qz.com as an example - they're not getting hacked, are they?)
It's an interesting thing, because WP is so popular it makes sense to attack.
Custom or less popular systems are not really any more or less secure, they're just less popular so that there is less incentive to attack them..
Leave a comment:
SimonMac replied

15 April 2013, 10:06
I assume like the majority of attack these day's people exploit the laziness or lack of knowledge that most people have, I am using WordPress › Better WP Security « WordPress Plugins to take the basic vulnerabilities away
Leave a comment:
Sysman started a topic Wordpress under attack

15 April 2013, 09:53
Wordpress under attack

Time to check your Wordpress installations, folks.

Security experts are warning that an escalating series of online attacks designed to break into poorly-secured WordPress blogs is fueling the growth of an unusually powerful botnet currently made up of more than 90,000 Web servers.

We’re talking about Web servers, not home PCs. PCs maybe connected to the Internet with a 10 megabit or 20 megabit line, but the best hosting providers have essentially unlimited Internet bandwidth. We think they’re building an army of zombies, big servers to bombard other targets for a bigger cause down the road.”

Indeed, this was the message driven home Thursday in a blog post from Houston, Texas based HostGator, one of the largest hosting providers in the United States. The company’s data suggests that the botnet of infected WordPress installations now includes more than 90,000 compromised sites.

Brute Force Attacks Build WordPress Botnet
Tags: None