WARNING: A Global Attack on Wordpress sites in progress

[Mark Talbot]

(mods, please move this if this is wrongly placed)

(readers, dont dismiss this as the usual 'wordpress vulnerabilities' are expected)

This should apply to anyone using wordpress as a content site, or sales site, or any reason really.

My host has informed me that they are being hammered with support requests on domain accounts with wordpress instances. They suggested this new problem is global, affects ALL hosting providers, and anyoner using wordpress.

They also said this is an ongoing new attack specifically targeting these sites.

They said that one would first notice their wordpress acp pages rendering really slow, and that they cant bulk-fix as it would potentially make their acp inaccessable.

Yesterday I took down my sales site as it had become corrupted with a mailer bot script. My site was muling spam thru my server. I was on the latest wordpress build. I dont know if this was related to the announcement today, but I only submitted my nos ticket yesterday regarding my site.




I give this warning to anyone here who uses wordpress for mini-content sites, bigger sites, or sales sites, basically anyone using wordpress.

 

[Shane]

The issue started popping up around the world about 14 hours before my site got infected.

My programmer found the problem.. It was a malicious trojan.

If your site is infected replace your index.php with an older version. Delete your cache and refresh.

 

[Theo]

In other news, North Korea moves another missile in upright position.

 

[Shane]

In other news, North Korea moves another missile in upright position.

Meh. I'm no longer responsible for dealing with nuclear issues.

 

[vinsdomains.com]

Wow, within 10 minutes of me reading this post, ALL of my wordpress sites went down. Crazy cyber world we live in!

Contacted support, who indicated ALL WordPress sites will go down temporarily, while they address security issues - nothing to do with host - it is all Wordpress, but they are fighting back!

 

[Shane]

Wow, within 10 minutes of me reading this post, ALL of my wordpress sites went down. Crazy cyber world we live in!

Contacted support, who indicated ALL WordPress sites will go down temporarily, while they address security issues - nothing to do with host - it is all Wordpress, but they are fighting back!

Did your host shut them down?

Oh and thanks for the bid.

 

[vinsdomains.com]

It was not the host, but Wordpress, according to my hosting provider, installing security tweaks. My sites are back up but were down 1-2 hours today.

 

[Shane]

That's very strange. My WP site hasn't had any down time. I wonder if they suspended the sites which were still infected. It's definitely a security issue within WP. I checked my FTP logs and plugins just to be sure.. Hopefully they'll resolve the issue quickly.

 

[Theo]

Install this plugin: http://devel.kostdoktorn.se/limit-login-attempts

 

[amplify]

In other news, North Korea moves another missile in upright position.

I wondered why flights for 4 were only $1200 to Hong Kong... They used to be $1600-$2500 range.

Family trip plus the afternoon in Hong Kong to celebrate my birthday when leaving on the 21st-- if I make it.

No problem with my Wordpress sites. I don't know if it has to do with a specific host or they are searching Google for Wordpress hosted sites. All mine are stripped of "wordpress" keyword, so they must pass over or it's due to a dedicated server.

 

[Shane]

Install this plugin: http://devel.kostdoktorn.se/limit-login-attempts

It's an internal issue not a brute force tactic.

 

[draggar]

Yesterday was a coordinated brute force attack, it started for me around 4am local time and went through the day. I get email alerts when someone fails a login attempt for some of my sites, I had over 20,000 when I got home, I can only guess I had over 75,000-100,000 attempts on all my sites - most likely much higher.

As far as I know none of my sites are cracked but I also have login lockdown which eventually would have stopped it but word has it that the attackers / botnet used over 90,000-100,000 IP addresses (and I'm sure with each site compromised they added to it).

Just make sure your Wordpress software and plugins are up to date and have a damn good admin password. I don't want to get into other precautions since this post will become a "how to" for hackers.

 

[Theo]

If you enable password protection to the /wp-admin directory, they will never even reach WordPress. Here is how: http://www.wpbeginner.com/wp-tutori...tect-your-wordpress-admin-wp-admin-directory/

 

[Theo]

It's an internal issue not a brute force tactic.

The attacks aren't taking advantage of any current WordPress issues or vulnerabilities. They are simply linear attacks to 'guess' the admin password. The WP admin account should be renamed so that 'admin' would not even validate.

 

[chipmeade]

message from Matt...the founder of WordPress. http://ma.tt/2013/04/passwords-and-brute-force/

Almost 3 years ago we released a version of WordPress (3.0) that allowed you to pick a custom username on installation, which largely ended people using “admin” as their default username. Right now there’s a botnet going around all of the WordPresses it can find trying to login with the “admin” username and a bunch of common passwords, and it has turned into a news story (especially from companies that sell “solutions” to the problem).

Here’s what I would recommend: If you still use “admin” as a username on your blog, change it, use a strong password, if you’re on WP.com turn on two-factor authentication, and of course make sure you’re up-to-date on the latest version of WordPress. Do this and you’ll be ahead of 99% of sites out there and probably never have a problem. Most other advice isn’t great — supposedly this botnet has over 90,000 IP addresses, so an IP limiting or login throttling plugin isn’t going to be great (they could try from a different IP a second for 24 hours).

 

[draggar]

Also edit the "admin" account level to "no role for this user".

 

[EM @MAJ.com]

Two factor authentication is available.

For self-hosted, read this article.
http://wordpress.org/extend/plugins/google-authenticator/screenshots/

And for wordpress.com
http://en.blog.wordpress.com/2013/04/05/two-step-authentication/

Have a safe working environment.

 

[Gerry]

In other news, North Korea moves another missile in upright position.

So young chubby brother leader got an erection?

 

[inquisitive]

What I have noticed since reading the news / this post.

If you are installing a new blog, create a new user name for admin, do not just use admin

However, if you have an old installation of wordpress that you have upgraded thru the years, then your username is most likely admin.
So the suggestion out there is to create a new account, and demote or delete the old one (when you delete the old one you are given the opportunity to transfer the posts to the new account).

Unfortunately that is not really a solution (I did this to one of my sites already), because the bad guys can figure out the new username just by typing site.com/?author=1 and wordpress will redirect to the username of that ID, so then another solution is needed like this one.
http://wordpress.org/support/topic/author1-2-3-how-to-stop-it

However this may not be the best solution.. just one of them

 

[amplify]

Simple fix going forward, install WP from cPanel and pick a username that's not "admin" then let it generate a strong password for you.