WordPress security - a heads up

47 replies
I received this from my hosting provider overnight. I don't use WordPress but I thought this might be useful information for those that do.

This is from one of the biggest and most technically knowledgable players in the hosting world so it's likely to be reliable information.

=======================
In an ongoing effort to make you aware of security and performance concerns, we wanted to inform you of an ongoing event.

There is a brute-force login attack targeted at websites with WordPress. Due to the nature of the attack, memory consumption on targeted servers has increased. In some cases this has resulted in degradation of performance, and unresponsive servers. This is due to a high volume of http requests which can cause some servers to start swapping memory to disk, and possibly run out of memory. The most impacted servers tend to be those with limited memory resources, especially those with 1GB of RAM or less.
=======================

Hope it helps.

Cheers,

Neil
#heads #security #wordpress
  • Profile picture of the author MartinPlatt
    Okay, there's a plugin to lock after x number of invalid logins, that would close up this problem...
    Signature
    {{ DiscussionBoard.errors[7957096].message }}
    • Profile picture of the author kindsvater
      Originally Posted by MartinPlatt View Post

      Okay, there's a plugin to lock after x number of invalid logins, that would close up this problem...
      Nope. This appears to amount to a DDOS attack.

      .
      {{ DiscussionBoard.errors[7957708].message }}
      • Profile picture of the author jbyte
        Originally Posted by kindsvater View Post

        Nope. This appears to amount to a DDOS attack.

        .
        And the host should be able to block the originating ip then
        Signature

        I fix WordPress problems, PM me if you need help

        {{ DiscussionBoard.errors[7957716].message }}
  • Profile picture of the author EpicTraffic
    Better WP Security and Wordfense free WP plugins are the key to have secured WP install
    {{ DiscussionBoard.errors[7957156].message }}
    • Profile picture of the author Dennisknows
      Originally Posted by EpicTraffic View Post

      Better WP Security and Wordfense free WP plugins are the key to have secured WP install
      Do you use both of these together or choose one?
      Signature
      "May the optimism of your tomorrow fuel your drive for today"
      {{ DiscussionBoard.errors[7957685].message }}
      • Profile picture of the author EpicTraffic
        Originally Posted by Dennisknows View Post

        Do you use both of these together or choose one?
        All our WP installs (currently more than 50) are using both plugins for secure the WP, and of course server hardening (we use mostly VPS and dedicated servers for our projects). The Better WP Security and Wordfense are compatible. I suggest and have Akismet and Bad Behavior activated too (but this is other topic). Hope this help!
        {{ DiscussionBoard.errors[7963258].message }}
  • Profile picture of the author Neil Morgan
    I think their point is that plugins etc won't stop the slow-downs and outages as the attacks will continue even if they are rebuffed.
    Signature

    Easy email marketing automation without moving your lists.

    {{ DiscussionBoard.errors[7957199].message }}
  • Profile picture of the author SarahZT
    I got this same message from my hosting provider too. WP security plugins are essential and a step missed my so many unfortunately!
    {{ DiscussionBoard.errors[7957722].message }}
  • Profile picture of the author onSubie
    WP Security, plugins and your website configuration have no effect on this problem.

    If you have WP- no matter what the security plugins- a 'brute force' attack is going to have the same impact on servers, etc.

    If you have a unique login or a "lock-out" feature after x failed attempts, the brute force requests will continue.

    Your WP will detect the login attempt and deny it.

    And seconds later another request comes.

    Every time your site gets a bad login attempt, the security plugins run through their paces, detecting and preventing, which all use server resources and time.

    This is what causes the memory consumption and resource problems mentioned in the notice. It is the host servers trying to manage all the requests, not the individual WP sites.

    If there was anything you could "do" to stop this, such as disable a common plugin or add a security feature, they would have told you in the notification.

    The notification is just FYI letting you know that the attacks are occurring and what the impact could be.

    The Host could block attacking IPs but individual web sites on the servers can't stop direct brute force attacks.

    Notice it says the most impacted servers are those with limited memory resources. It doesn't say anything about WP security on individual sites being a factor.

    Of course, you should have individual site security to prevent your personal vulnerability to unauthorized access.

    But secure individual WP sites would not prevent a DDOS attack from affecting the hosts servers.
    {{ DiscussionBoard.errors[7957993].message }}
    • Profile picture of the author BigGameHunter
      Originally Posted by onSubie View Post

      WP Security, plugins and your website configuration have no effect on this problem.

      If you have WP- no matter what the security plugins- a 'brute force' attack is going to have the same impact on servers, etc.

      If you have a unique login or a "lock-out" feature after x failed attempts, the brute force requests will continue.

      Your WP will detect the login attempt and deny it.

      And seconds later another request comes.

      Every time your site gets a bad login attempt, the security plugins run through their paces, detecting and preventing, which all use server resources and time.

      This is what causes the memory consumption and resource problems mentioned in the notice. It is the host servers trying to manage all the requests, not the individual WP sites.

      If there was anything you could "do" to stop this, such as disable a common plugin or add a security feature, they would have told you in the notification.

      The notification is just FYI letting you know that the attacks are occurring and what the impact could be.

      The Host could block attacking IPs but individual web sites on the servers can't stop direct brute force attacks.

      Notice it says the most impacted servers are those with limited memory resources. It doesn't say anything about WP security on individual sites being a factor.

      Of course, you should have individual site security to prevent your personal vulnerability to unauthorized access.

      But secure individual WP sites would not prevent a DDOS attack from affecting the hosts servers.

      That was a very long explanation and you told everything that can't happen.
      Not interested in a rehash of the sky is falling. How about a solution instead.

      Your opinion of course.
      Signature

      Always looking for the best service providers on Warrior Forum.

      {{ DiscussionBoard.errors[7962991].message }}
      • Profile picture of the author onSubie
        Originally Posted by BigGameHunter View Post

        That was a very long explanation and you told everything that can't happen.
        Not interested in a rehash of the sky is falling. How about a solution instead.

        Your opinion of course.

        Well, I just meant the attacks are HTTP requests impacting the host and that individual WP security settings, while protecting an individual site, would not protect the host from the DDOS attack.

        Nothing to do with the sky falling.

        The http request comes before the request hits a WP installation.

        Some replies seemed to imply that this was a WP security issue.

        The attacks are attempting to exploit WP vulnerabilities, but the impact on the host servers is from the http requests not WP security problems on individual sites.

        So certainly there are things individuals can (and should) do to secure their personal sites and security, but fixing individual WP sites won't stop the http requests and DDOS attack.

        If you want a solution you need to look at measures the host can take, not individual sites.

        But that is not saying WP security isn't important, just that fixing individual site security won't stop a DDOS attack like this.

        And it is the DDOS attack that is slowing the servers and causing the problems related to being able to access web pages.

        The problems will stop when the host manages to block the IPs or bots that are conducting the attack, not after all the individual sites have updated their WP security settings.

        Someone suggested the solution of protecting your site by blocking IPs from China and Russia.

        That is a good idea for an individual site, but impractical for a host.

        And in a shared server enviroment this will not have much impact on your site performance since you are sharing your server with many other web sites that are not blocking China and Russia.

        So while your site is protected, it is still living on a server that is being inundated with DDOS attacks.

        These things (DDOS) happen all the time. It is important to understand what is happening so you don't panic and can properly protect your own sites and files.

        Did you read the information at the link provided by Butters?

        It has great information. But remember, a site on shared hosting does not have server access and can only protect that individual site, not the server itself.
        {{ DiscussionBoard.errors[7965875].message }}
        • Profile picture of the author kevindemara
          I have a plugin called Secure Wordpress - "Basic security checks for securing your WordPress installation". Is this plugin sufficient or can anyone recommend one that will further secure my site against these kinds of attacks? Thx
          {{ DiscussionBoard.errors[7965914].message }}
  • Profile picture of the author davegarcia939
    I have the login attempt feature enabled. These days I am receiving many site lock out notification. According to the notifications, most of the attack come from China and Russia.
    {{ DiscussionBoard.errors[7958102].message }}
  • Profile picture of the author Jesus Perez
    If you have WHM and you primarily market to the US, UK and other English speaking countries, then I recommend immediately blocking China and Russia at the country level to prevent these WP attacks. All the logs I've seen show these attacks originating from these 2 countries.

    How to Block certain countries from accessing your web site on WHM

    The above article will protect your entire server with a few clicks.

    The country codes you need are "CN,RU".
    Signature

    {{ DiscussionBoard.errors[7958350].message }}
  • Profile picture of the author kpmedia
    htaccess the admin folder.
    They can't hack what isn't there.
    {{ DiscussionBoard.errors[7959579].message }}
  • Profile picture of the author Seoptimistic
    We had the iframe injection and redirection problems last year and moved some of our websites to dedicated hosting. Attacks has started again nowadays and we are still having problems with some websites (not only Wordpress), especially the .htaccess file which doesn't have permissions to be writted by even owner, is getting some redirection code to russian sites. We are moving all the websites from shared hosting of Godaddy to ovh dedicated servers.
    {{ DiscussionBoard.errors[7960552].message }}
  • Profile picture of the author webss
    Heard of a lot of people yesterday that use the limit login attempts say they were getting notifications of lock outs. Also see a bunch complaining that there site have slowed considerable down that are on shared hosts.

    Must really be a big problem right now. Best of luck to all.
    {{ DiscussionBoard.errors[7960587].message }}
  • Profile picture of the author Igal Zeifman
    [DELETED]
    {{ DiscussionBoard.errors[7961267].message }}
    • Profile picture of the author SkyNetHosting
      Hello.

      We are seeing this attack since April 9th. I would highly recommend to update all wordpress passwords.
      Signature
      300% Faster Web Hosting with SSD Speed Boost! - 65% RECURRING DISCOUNT - COUPON: WAR65
      USA LOCATIONS: Las Vegas. Arizona. California. Dallas. Washington. Seattle. Virginia
      INTERNATIONAL LOCATIONS: Australia. South Africa. India. Sigapore. Japan. Hong Kong. Netherlands. UK
      12th Year SEO Anniversary Special - 99% OFF for the 1st Month - COUPON: WARRIOR
      {{ DiscussionBoard.errors[7961456].message }}
      • Profile picture of the author Juba1
        Originally Posted by SkyNetHosting View Post

        Hello.

        We are seeing this attack since April 9th. I would highly recommend to update all wordpress passwords.
        Well then why did you not update your clients? I think it's only right they should know don't you agree.

        I'm using Cloudflare for my main sites and it gives the option to block access from countries IP's etc and seems to be doing the job well but only time will tell.
        I also have Better WordPress Security and Limit Login Attempts plugins installed and additionally, the OSE Firewall plugin lol.
        {{ DiscussionBoard.errors[7961578].message }}
        • Profile picture of the author SkyNetHosting
          Originally Posted by Juba1 View Post

          Well then why did you not update your clients? I think it's only right they should know don;t you agree.
          Part of our clients are already updated and others are updated as we speak.
          Signature
          300% Faster Web Hosting with SSD Speed Boost! - 65% RECURRING DISCOUNT - COUPON: WAR65
          USA LOCATIONS: Las Vegas. Arizona. California. Dallas. Washington. Seattle. Virginia
          INTERNATIONAL LOCATIONS: Australia. South Africa. India. Sigapore. Japan. Hong Kong. Netherlands. UK
          12th Year SEO Anniversary Special - 99% OFF for the 1st Month - COUPON: WARRIOR
          {{ DiscussionBoard.errors[7961589].message }}
          • Profile picture of the author Juba1
            Originally Posted by SkyNetHosting View Post

            Part of our clients are already updated and others are updated as we speak.
            Yes, I just received an update and it was only after I complained that nearly all my sites were down and many are going on and off and have been like this for quite a while. But even before this event on any given day at least one or two site were down so maybe this attack has been going on longer at Skynet.

            My uptime monitor has been working overtime lately and at one point I wanted to deactivate it because of the amount of downtime.

            Hope you guys get your servers sorted out because with or without this latest attack, it was still very poor uptime.
            {{ DiscussionBoard.errors[7961645].message }}
  • Profile picture of the author SkyNetHosting
    Hello.

    You can use How Secure Is My Password? to check your password strength. Another option is to change your admin username to something else as the attack is targeted towards blogs that use admin as their username.
    Signature
    300% Faster Web Hosting with SSD Speed Boost! - 65% RECURRING DISCOUNT - COUPON: WAR65
    USA LOCATIONS: Las Vegas. Arizona. California. Dallas. Washington. Seattle. Virginia
    INTERNATIONAL LOCATIONS: Australia. South Africa. India. Sigapore. Japan. Hong Kong. Netherlands. UK
    12th Year SEO Anniversary Special - 99% OFF for the 1st Month - COUPON: WARRIOR
    {{ DiscussionBoard.errors[7961532].message }}
  • Profile picture of the author kpmedia
    If you want to block IP, you can do this: http://www.warriorforum.com/programm...highlight=spam
    Do it on the WordPress page.
    Nuking that PHP to certain IPs will block about 66% of junk traffic. That helps.
    It works better than any plugin. (You CANNOT always rely on plugins.)
    {{ DiscussionBoard.errors[7962970].message }}
  • Profile picture of the author butters
    Found an interesting article on brute force attacks, while you can not stop them completely, you can limit the effectiveness of them.

    Blocking Brute Force Attacks - System Administration Database
    {{ DiscussionBoard.errors[7962983].message }}
    • Profile picture of the author BigGameHunter
      Originally Posted by butters View Post

      Found an interesting article on brute force attacks, while you can not stop them completely, you can limit the effectiveness of them.

      Blocking Brute Force Attacks - System Administration Database
      Very Good Article.
      Much better than writing a book about what can't be done.
      Signature

      Always looking for the best service providers on Warrior Forum.

      {{ DiscussionBoard.errors[7963041].message }}
  • Profile picture of the author madeye32
    There was a plugin for LOCK THE IP after x number of fails but cant remember the name of it
    {{ DiscussionBoard.errors[7965420].message }}
  • Profile picture of the author Joan Altz
    I've blocked China and Russia using CloudFlare. Getting too many of these buttheads trying to log in to my site every day and I've had some intermittent hiccups with exhausted memory because of it. Thanks for the tip. Wasn't sure what to do about it and was just blocking IPs for long periods of time with the Limit Login Attempts plugin.
    {{ DiscussionBoard.errors[7965775].message }}
    • Profile picture of the author livo
      Is there any possibility the hackers getting into our hosting account and by passing wp security such as wordfence i seem to be having problems again after a recent attack.

      You can read my post here
      Signature


      {{ DiscussionBoard.errors[7965812].message }}
  • Profile picture of the author RobinInTexas
    If you are on a dedicated or VPS you can configure iptables and fail2ban to mitigate the problem.

    If you are on shared with wordpress, Wordfence as previously mentioned. Your shared provider should be using the previously mentioned solutions to manage the problem, ask them.
    Signature

    Robin



    ...Even if you're on the right track, you'll get run over if you just set there.
    {{ DiscussionBoard.errors[7965995].message }}
  • Profile picture of the author psvent
    https://www.cloudflare.com is also a way to protect against DDOS and it plugs right into W3 Total Cache plugin if you have it installed.
    {{ DiscussionBoard.errors[7966002].message }}
  • Profile picture of the author Mike Hlatky
    I am getting these messages on my Wordpress sites.

    I updated the htaccess file to only allow my IP to see the admin area.
    {{ DiscussionBoard.errors[7966009].message }}
    • Profile picture of the author Stefan Shields
      This must be a huge attack

      My host is saying that some hosting companies have completely blocked access to all wordpress admins, to gain access to any wordpress site on my host I must go through an extra login that they have set up.

      Hope this is resolved soon
      {{ DiscussionBoard.errors[7966037].message }}
      • Profile picture of the author livo
        Originally Posted by Stefan Shields View Post

        This must be a huge attack

        My host is saying that some hosting companies have completely blocked access to all wordpress admins, to gain access to any wordpress site on my host I must go through an extra login that they have set up.

        Hope this is resolved soon
        Yep

        In fact earlier today i could not even log into any of my sites even my hosting was down for a while.

        Looks like my site has been hacked again according to a fellow warrior.

        Getting traffic to may Amazon sites but no clicks and all my affiliate tracking ids are ok but still getting over 85% 301 404 redirects
        Signature


        {{ DiscussionBoard.errors[7966089].message }}
        • Profile picture of the author livo
          Any answers to my post 28?
          Signature


          {{ DiscussionBoard.errors[7966100].message }}
          • Profile picture of the author Stefan Shields
            Originally Posted by livo View Post

            Any answers to my post 28?
            Impossible to answer without knowing how secure your passwords are, what extra security steps your host takes etc etc.

            But this attack is primarily targetted at wordpress installs so it shouldn't affect your hosting login, just the wordpress logins.
            {{ DiscussionBoard.errors[7966128].message }}
            • Profile picture of the author SuperKristen
              Originally Posted by Stefan Shields View Post

              But this attack is primarily targetted at wordpress installs so it shouldn't affect your hosting login, just the wordpress logins.
              As you said, just the WordPress logins

              I have only "Better WP security" plugin installed with login attempt configuration, do you think this is ok to prevent my site from attacks.
              {{ DiscussionBoard.errors[7966313].message }}
            • Profile picture of the author onSubie
              Originally Posted by Stefan Shields View Post

              But this attack is primarily targetted at wordpress installs so it shouldn't affect your hosting login, just the wordpress logins.
              It could depending on what server your host login is on it could be inaccessible too.

              The servers that host the sites are being overwhelmed by HTTP requests in a DDOS attack.

              The attack is making requests looking for WP installs and insecure sites could be compromised or hacked.

              But the access and login problems are due to the servers being overwhlemed with HTTP requests making them slow or unable to respond.

              Before the request hits your site, it hits the server that hosts your site and many others, unless you run on a dedicated server, and the servers are being overwhelmed trying to handle all those requests.

              If you can't access your WP site, it doesn't necessarily mean it has been hacked or compromised.

              It is just on a slow server that is too overwhelmed with other HTTP requests to process your HTTP request for the login URL.

              A request for your host login is also an HTTP request that has to be handled by a server first so it knows what host to attach you to.

              If the host logins are on servers affected by the DDOS attack, they could also be extremely slow or unavailable.


              It is important to update your site security because attacks can come any time, even if they are not this large and coordinated.

              If you look at your server logs (AWStats), even if you have security installed, you will see many attempts to access files and directories that normal visitors should not be trying to reach.

              Mahlon
              {{ DiscussionBoard.errors[7966668].message }}
    • Profile picture of the author Joan Altz
      Originally Posted by Mike Hlatky View Post

      I am getting these messages on my Wordpress sites.

      I updated the htaccess file to only allow my IP to see the admin area.
      How is this done? Does anyone have a simple copy/paste example? I'm blocking China and Russia but still getting a crapload of failed login attempts.
      {{ DiscussionBoard.errors[7968225].message }}
      • Profile picture of the author RobinInTexas
        Code:
        <FilesMatch "^(admin|dashboard|index|admin-header|admin-footer|edit|edit-tags|options-reading|site-new|user-new|users|sites|tools|post|upload|themes|post-new|widgets|nav-menus).php$">
        
        Order allow,deny
        Allow from xxx.xxx.xxx.xxx
        deny from all
        </FilesMatch>
        I placed this in wp-admin in order to get around a problem with Wordfence plugin.

        As another posted here you could block wp-login.php
        Code:
        <FilesMatch wp-login.php>
        Order Allow,Deny
        Allow from your-ip-address-here
        Deny from all
        </FilesMatch>
        Your Apache error file may grow considerably as most or the access denied errors will be logged
        Signature

        Robin



        ...Even if you're on the right track, you'll get run over if you just set there.
        {{ DiscussionBoard.errors[7969724].message }}
  • Profile picture of the author tq
    Note: This is a temporary work-around. We’ve been forced to block wp-admin outright to stabilize our servers to ensure that websites (both non-WordPress and WordPress) continue to load. This results in a NOT ACCEPTABLE message when trying to log into WordPress. The block on WP-Admin will be removed when our administrators are confident that service will not be impacted by the continued attack.


    * Add and or Edit the file .htaccess located in your /home/username/public_html/wp-admin

    *Add the code below and dont forget to Replace ( your-ip-address-here ) with your physical ip address that you plan to use when working in your admin area.

    To get your ip address go to Google.com in the search bar type whats my ip

    It should bring up your ip address

    Google now shows your ip address when search the term ( whats my ip ). Just Another way Google is keeping you trapped in their space. Maybe?


    Add and or Edit the file .htaccess located in your /home/username/public_html/wp-admin

    Order deny,allow
    Deny from all
    allow from your-ip-address-here

    <FilesMatch wp-login.php>
    Order Allow,Deny
    Allow from your-ip-address-here
    Deny from all
    </FilesMatch>


    If you do not have a .htaccess file then open your note pad editor save a untitled document.

    Then login to your server with ftp upload the untitled document.
    After uploading the untitled document right click on it and rename it to .htaccess next

    Open the .htaccess file and put this in it.

    _________ begin code ______________

    Code:
    Order deny,allow
    Deny from all
    allow from your-ip-address-here
    
    <FilesMatch wp-login.php>
    Order Allow,Deny
    Allow from your-ip-address-here
    Deny from all
    </FilesMatch>
    ________ end code _________________

    Basically it denies access to the folder and wp-login.

    You should not copy and paste, because it can add additional information that may give access to someone you do not want.

    If you must copy and paste?
    Copy the text then paste it in a separate note pad doc next save the doc name it what ever you want, then recopy the text in the file you just saved. Now paste as needed. By saving the doc it should strip any extra info you may have copied.



    For extra security add this

    Code:
    <Files .htaccess>
     order allow,deny
     deny from all
    </Files>
    This denies access to the .htaccess file so it can not be changed online with code in your injected in your script.


    That is a little of what I do. Hope it works out for.
    Let me know if you have questions?
    Good luck.
    {{ DiscussionBoard.errors[7966078].message }}
  • Profile picture of the author glooft
    For anyone that uses HostGator, there is a page on their support site that gives instructions on how to block regions or countries from your site.

    https://support.hostgator.com/articl...seeing-my-site
    {{ DiscussionBoard.errors[7966537].message }}
  • Profile picture of the author Wayne
    My webhost was having these WP brute force attacks and I didn't even notice it.
    From their latest blog post:
    Recent WordPress Brute-Force Attempts and More

    I've used Bluehost, Hostgator and a number of other lower cost webhosts, and Siteground has performed better than any of the others for me.
    {{ DiscussionBoard.errors[7966743].message }}
  • Profile picture of the author CyberAlien
    Here's an article about this from HostGator: Global WordPress Brute Force Flood | HostGator Web Hosting Blog | Gator Crossing

    I'd suggest simply having strong passwords that brute force won't work on. Also, start using CloudFlare to prevent your website from going offline.
    {{ DiscussionBoard.errors[7966989].message }}
    • Profile picture of the author BackLinkiT
      I was looking at Cloudflare but, unless I am much mistaken, in a shared hosting environment, unless everyone on the shared server has it, it's a waste of time?

      I can instal it but others may not and attacks on them may take the server down anyway...

      Am I right?

      Regards to all,

      Peter
      {{ DiscussionBoard.errors[7967184].message }}
      • Profile picture of the author RobinInTexas
        Originally Posted by BackLinkiT View Post

        I was looking at Cloudflare but, unless I am much mistaken, in a shared hosting environment, unless everyone on the shared server has it, it's a waste of time?

        I can instal it but others may not and attacks on them may take the server down anyway...

        Am I right?

        Regards to all,

        Peter
        You should keep your site secure, just because you should. If the DDOS affects the server you will be affected until the server recovers.

        Your hosting company, or anybody on a VPS or dedicated server should look at Fail2Ban
        Signature

        Robin



        ...Even if you're on the right track, you'll get run over if you just set there.
        {{ DiscussionBoard.errors[7967325].message }}

Trending Topics