SitePoint Sponsor

User Tag List

Results 1 to 13 of 13
  1. #1
    SitePoint Zealot 2ndmouse's Avatar
    Join Date
    Jan 2007
    Location
    West London
    Posts
    196
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    WP sites undergoing Brute Force Attack

    I am advised by my service provider (FASTVISION) that Wordpress sites around the globe are currently undergoing a "Brute Force Attack", since 12April.

    As a precaution, they are adding an extra layer of security to all WordPress login pages in the form of an additional login dialog.

    Has anyone else heard of this attack?
    Detect file changes remotely. SimpleSiteAudit is an early
    warning anti-hacker system which sends an alert on detection.

    PHP Find Orphan Files - Finds all the unreferenced files on your site.

  2. #2
    Gre aus'm Pott gold trophysilver trophybronze trophy
    Pullo's Avatar
    Join Date
    Jun 2007
    Location
    Germany
    Posts
    6,056
    Mentioned
    219 Post(s)
    Tagged
    12 Thread(s)
    Hi,

    I read about this on the BBC: http://www.bbc.co.uk/news/technology-22152296

    Also, on Friday, when I tried to login to my WP backend, it returned a 501 for about two hours.
    I phoned my provider and they said that many of their WP customers were reporting this and had no idea what was causing it.
    No idea if it was related.

  3. #3
    From Italy with love silver trophybronze trophy
    guido2004's Avatar
    Join Date
    Sep 2004
    Posts
    9,508
    Mentioned
    163 Post(s)
    Tagged
    4 Thread(s)
    It could well be related. One of my providers has added an additional login as well to shield off the WP admin login from this attack.

  4. #4
    Gre aus'm Pott gold trophysilver trophybronze trophy
    Pullo's Avatar
    Join Date
    Jun 2007
    Location
    Germany
    Posts
    6,056
    Mentioned
    219 Post(s)
    Tagged
    12 Thread(s)
    Quote Originally Posted by guido2004 View Post
    It could well be related. One of my providers has added an additional login as well to shield off the WP admin login from this attack.
    Yeah, they weren't giving very much away when I spoke to them, so it's hard to tell.

    I'm pretty paranoid when it comes to security and when setting any WP site, I follow most, if not all of the recommendations to tighten the security (e.g. delete the user "admin", alter the default table prefix, change the file permissions accordingly, and so on ...)

    This takes quite a bit of effort at the time, but is invariably worth it when things like this pop up.

  5. #5
    Robert Wellock silver trophybronze trophy xhtmlcoder's Avatar
    Join Date
    Apr 2002
    Location
    A Maze of Twisty Little Passages
    Posts
    6,316
    Mentioned
    60 Post(s)
    Tagged
    0 Thread(s)
    Brian Krebs (KrebsOnSecurity) did a Blog article on this several days back: Brute Force Attacks Build WordPress Botnet.

  6. #6
    Barefoot on the Moon! silver trophy Force Flow's Avatar
    Join Date
    Jul 2003
    Location
    Northeastern USA
    Posts
    4,617
    Mentioned
    56 Post(s)
    Tagged
    1 Thread(s)
    I haven't noticed anything on my wordpress sites, and there hasn't been an abnormally high number of IP lockouts.

    From what I read earlier, the attacks seemed to focus on the hostgator and LiquidWeb hosting providers.

    I'm not using either.
    Visit The Blog | Follow On Twitter
    301tool 1.1.5 - URL redirector & shortener (PHP/MySQL)
    Can be hosted on and utilize your own domain

  7. #7
    Programming Since 1978 silver trophybronze trophy felgall's Avatar
    Join Date
    Sep 2005
    Location
    Sydney, NSW, Australia
    Posts
    16,869
    Mentioned
    25 Post(s)
    Tagged
    1 Thread(s)
    Quote Originally Posted by Pullo View Post
    I'm pretty paranoid when it comes to security and when setting any WP site, I follow most, if not all of the recommendations to tighten the security (e.g. delete the user "admin", alter the default table prefix, change the file permissions accordingly, and so on ...)

    This takes quite a bit of effort at the time, but is invariably worth it when things like this pop up.
    If you go to http://bit51.com/software/better-wp-security/ and install that plugin into your WordPress site it can automatically apply all the changes you mention and many more security measures in just a couple of mouse clicks.
    Stephen J Chapman

    javascriptexample.net, Book Reviews, follow me on Twitter
    HTML Help, CSS Help, JavaScript Help, PHP/mySQL Help, blog
    <input name="html5" type="text" required pattern="^$">

  8. #8
    Gre aus'm Pott gold trophysilver trophybronze trophy
    Pullo's Avatar
    Join Date
    Jun 2007
    Location
    Germany
    Posts
    6,056
    Mentioned
    219 Post(s)
    Tagged
    12 Thread(s)
    Quote Originally Posted by felgall View Post
    If you go to http://bit51.com/software/better-wp-security/ and install that plugin into your WordPress site it can automatically apply all the changes you mention and many more security measures in just a couple of mouse clicks.
    Yeah, I had done that already (paranoid, see )
    I also recommend the Login Lockdown plugin which can protect against the kind of attack in question.
    I know the plugin page says it hasn't been updated in a while, but it still works exactly as it should.

  9. #9
    Programming Since 1978 silver trophybronze trophy felgall's Avatar
    Join Date
    Sep 2005
    Location
    Sydney, NSW, Australia
    Posts
    16,869
    Mentioned
    25 Post(s)
    Tagged
    1 Thread(s)
    Quote Originally Posted by Pullo View Post
    Yeah, I had done that already (paranoid, see )
    I also recommend the Login Lockdown plugin which can protect against the kind of attack in question.
    I know the plugin page says it hasn't been updated in a while, but it still works exactly as it should.
    From what I can see the functionality in the better-wp-security plugin includes the functionality of the login-lockdown plugin - I get quite a few emails from the security plugin advising me that certain users have been locked out for a period of time due to too many invalid login attempts having been made. Or have I overlooked something?
    Stephen J Chapman

    javascriptexample.net, Book Reviews, follow me on Twitter
    HTML Help, CSS Help, JavaScript Help, PHP/mySQL Help, blog
    <input name="html5" type="text" required pattern="^$">

  10. #10
    Community Advisor silver trophy

    Join Date
    Nov 2006
    Location
    UK
    Posts
    2,559
    Mentioned
    40 Post(s)
    Tagged
    1 Thread(s)
    I always put an additional .htaccess login on the admin directory. Simple and effective.

  11. #11
    SitePoint Guru bronze trophy Slackr's Avatar
    Join Date
    Jan 2009
    Location
    New Zealand
    Posts
    679
    Mentioned
    7 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Pullo View Post
    Yeah, I had done that already (paranoid, see )
    I also recommend the Login Lockdown plugin which can protect against the kind of attack in question.
    I know the plugin page says it hasn't been updated in a while, but it still works exactly as it should.
    From what I understand about this attack Login Lockdown will not protect users. They're using a botnet of up to 90k and so IP addresses are changing too frequently for the lockouts of a single IP to be effective. Better WP Security includes some more features that better protect websites (eg, changing the default user ID=1).

    Also this is not just targeted at particular hosts. I'm sitting at the bottom of the world and using a local hosting company and seeing the evidence of these attacks over the last 30 or so hours. I'm using Wordfence and can see the login attempts and also the fact that they are changing too rapidly to be being blocked by the lock-out type functions of these plugins.

  12. #12
    Gre aus'm Pott gold trophysilver trophybronze trophy
    Pullo's Avatar
    Join Date
    Jun 2007
    Location
    Germany
    Posts
    6,056
    Mentioned
    219 Post(s)
    Tagged
    12 Thread(s)
    Quote Originally Posted by felgall View Post
    From what I can see the functionality in the better-wp-security plugin includes the functionality of the login-lockdown plugin - I get quite a few emails from the security plugin advising me that certain users have been locked out for a period of time due to too many invalid login attempts having been made. Or have I overlooked something?
    No, sorry, I did.
    I have quite a few sites running WP and the ones that keep emailing me that users have been locked out are running better-wp-security, not login lockdown.
    I do use login lockdown on one site, but this is a site that I have only shared with some family and friends and has thus stayed off the hackers radar.

    Quote Originally Posted by Slackr View Post
    I'm using Wordfence and can see the login attempts and also the fact that they are changing too rapidly to be being blocked by the lock-out type functions of these plugins.
    I've not tried WordFence yet, so thanks for the recommendation.
    I'll have a look at this for the next WP site that comes up.
    better-wp-security also logs failed login attempts (as felgall mentioned) and I've been quite happy with it so far, but it's always good to know what else is out there.

  13. #13
    SitePoint Zealot 2ndmouse's Avatar
    Join Date
    Jan 2007
    Location
    West London
    Posts
    196
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Just wondering if any of you guys have received info from your service provider as to when this attack might end. It's 6 days since it started and the extra login is still in place on my WP sites. My service provider tells me that they don't know how long this attack will last - are you guys getting the same feedback? Apparently, there's around 100,000 compromised machines working on behalf of the hackers.
    Detect file changes remotely. SimpleSiteAudit is an early
    warning anti-hacker system which sends an alert on detection.

    PHP Find Orphan Files - Finds all the unreferenced files on your site.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •