General Security Alert

As some of you may be aware the last 72 hours has seen a massive spike in brute force attacks on wordpress sites.

Please ensure that your admin passwords are set to very very strong and make use of as many different character types as possible.

In particular look at your error logs, watch for a lot of failed login attempts.

Use plugins like wordfence that allow you to limit the number of failed login attempts before banning someone.

For more information read here:

https://premium.wpmudev.org/blog/security-alert-for-wordpress-users/

http://arstechnica.com/security/2013/04/huge-attack-on-wordpress-sites-could-spawn-never-before-seen-super-botnet/

I had one of my own sites basically crippled yesterday which resulted in it needing its permissions set to 0 and http being suspended on the server whilst we got the situation under control.

Cheers

Tom

  • Vaughan
    • Support/SLS MockingJay

    I agree.

    the length of the password in most cases, is more important than the complexity of the password.

    passwords like &#fgHY76 can be cracked within 4hrs these days (note, it is complex, but it's only 8 characters long)

    if you really want to test how secure your password is. visit https://www.grc.com/haystack.htm

    it's a great site & tells you a lot about your passwords.

    for instance my password for this site alone (wpmudev) would take over 100 million centuries to bruteforce using an offline array of computers & even longer using an online brute force attack.

    also changing your admin username to something other than admin/administrator/webmaster etc will also offer some but limited protection.

    but your password is only as secure as the hashing algorhythm used to protect it in the database, & encryption should never be used to hide passwords, it should always be a 1 way hashing algorhythm.

  • diogenese19348
    • Design Lord, Child of Thor

    Since nobody has mentioned it yet… this particular attack is on the account name “admin” It might be a REALLY good idea not to use that account name as your superadmin account. Set some other account as superadmin and delete that account.

    It is far better if they have to guess at both the account name and the password, then the password alone.

    EDIT: I see the last person to post already mentioned that. In any case, make that change.

  • BobSgt
    • Design Lord, Child of Thor

    I had a security problem last week. It was resolved (so far) with several plug-ins recommended by AECNU.

    One notable thing occurred: I found a disabled theme that I had not installed named macosx. I deleted it once, it re-appeared. Since I was very early on in development, I tore my site down and reinstalled.

    No problems since then, but anyone who is impacted might want to look for the presence of disabled themes.

  • tripvendor
    • The Bug Hunter

    login limiters won’t stop this attack, they are using something like 90,000 IP’s and rotating at super fast pace…

    as mentioned above they are looking for the username admin, which if you have it will suck server resources as they pound away at it no matter how good your password is

  • Imperative Ideas
    • HummingBird

    You could also relocate the login, which stops bots dead in their tracks.

    Add this to your functions.php, but make sure to replace “$login_page_id”:

    // This will redirect the actual login page to your new page
    add_action( 'login_redirect', 'custom_login_redirect' );
    function custom_login_redirect()
    {
    if ( 'wp-login.php' == $GLOBALS['pagenow'] )
    {
    // Set your $login_page_id
    wp_redirect( get_permalink($login_page_id) );
    die;
    }
    }

    // This will replace the login url used by WordPress
    add_filter( 'login_url', 'custom_login_url', 10, 2 );
    public function custom_login_url( $login_url='', $redirect='' )
    {
    // Set your $login_page_id
    return get_permalink($login_page_id);
    }

    On your new login page, you can simply add this function to show a login form:

    <?php wp_login_form(); ?>

    http://wordpress.stackexchange.com/a/87750/28719

  • diogenese19348
    • Design Lord, Child of Thor

    I have six WP installations I maintain on 3 different hosting sites, and frankly I am not seeing all that much activity. Worst case is attempts by 3 IP’s, with one coming back after a 24 hour lockout. Not much of a pounding.

    Moving that wp-login is probably a pretty good idea either way. functions.php is located in the theme folder isn’t it? which means you have to do that for every theme located on a multi-user site? Yuck.

  • phillcoxon
    • The Crimson Coder

    @diogense19348 – it very much depends on the site. I have a client website that has been hammered by the attack for days. Whether it’s random or being targeted I don’t know.

    Forunately I had WordFence and login limiting plugins in place before the attack started so it’s all been fine.

  • Jennifer
    • New Recruit

    I know I’m a newbie, but a billion years ago when my father worked on a main frame (if you have to ask what that is, you wouldn’t understand anyway) he had a sync key that essentially sent a new passcode to him upon requesting access. The pager style “key” generated a code that only lasted for a short duration and was only good for single access. Couldn’t the plugin like the one that creates complex expiring urls for the amazon s3 be adapted for a similar purpose?

  • phillcoxon
    • The Crimson Coder

    Yes there are all sorts of great solutions for increasing login security.

    The number one priority is increasing password strength. Combining with a secure password manager (LastPass.com or 1Password, for example)

    Then there are plugins that restrict login to a certain time of the day or to specified IP addresses (Better WordPress Security plugin as an example).

    Next you can step it up to a two factor authentication method that relies on a separate form of authentication along with your password.

    Some examples are Google’s 2-factor authentication, authy.com and yubikey.

    I use Yubikeys – http://www.yubico.com/products/yubikey-hardware/yubikey/technical-description/

    Basically I can’t access my LastPass password manager unless I have both the password and insert one of my yubikey’s and press the button. This way I can additionally secure both my own passwords and client passwords with a hardware solution rather than just a password.

    There are various plugins for wordpress to enable 2-factor authentication using these services.

    Lots of ways to improve security… most people just never get around to it until it’s too late :slight_frown:

  • Vaughan
    • Support/SLS MockingJay

    @phillcoxon

    I have a yubikey too :slight_smile: great little device. one time pass key.

    though may not be convenient for everybody due to it costing around $10 for the basic usb key. not everyone will want to fork out any money for that. But personally I like it. never used it with wordpress though, i only got the key myself because I integrated the yubikey auth into another CMS i was a developer for.

    is there a yubikey plugin for wordpress then already? and is there a yubikey key server so that users can create their own auth key server instead of using yubicos.

  • steve Pershall
    • The Crimson Coder

    well my server received that kind of a spike but the server had to be rebooted because their was to many open connections which made the server come to crawl which probably was a good thing because their was no resources left for the hackers to gain control of the server LOL

  • Shawn
    • The Crimson Coder

    I host & manage a few hundred WP sites and can tell you that while Limit Login Attempts is a nice way to do exactly that (limit login attempts) – it will not actually diminish the traffic – so the denial of service caused by the attacks will continue.

    Also, the suggestion to change admin user name is important – but it has almost no effect except for very poorly written bots (fortunately, that’s most of them). Collecting the username is as simply as “?author=1”. I’ve seen bots hit everything from 1 to 1000 trying to collect the author username.

  • Shawn
    • The Crimson Coder

    High 5 digits would be great – except I doubt it would prevent brute force attacks trying to obtain the first author ID. On a client’s massive multisite installation a couple years ago we had a bot go all the way up to 200,000 before I discovered it and blocked the IP address. A better solution would be to defuse that pattern so it returned a 4xx error. No sense providing a URL format that will literally only be used to abuse you – and has no legitimate purpose. There aren’t any hooks or filters to prevent the ?author= syntax from working, though, so the best we can do is in .htaccess:

    # BEGIN block author scans
    <IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /
    RewriteCond %{QUERY_STRING} (author=d+) [NC]
    RewriteRule .* - [F]
    </IfModule>
    # END block author scans

  • Vaughan
    • Support/SLS MockingJay

    none of these are going to stop a DDOS or botnet like this. the only thing you can really do is wait it out.

    if you can detect the attack, then you can be as inconvenient as possible.

    temporarily block all responses from the site/server. basicly, don’t send any error messages or acks. just temporarily stop responding. be like there’s no site there.

    random account lockouts. 5 wrong guesses, lock the account for 15 or 30 mins. but don’t acknowledge with a wrong password message. that way they’ll keep guessing & even if they hit the right password in that time, the account is locked, they’ll think wrong password and carry on.

  • HamRadioDude
    • HummingBird

    I used a Plugin called Admin username changer

    http://wordpress.org/extend/plugins/admin-username-changer/

    to change the Admin name in all my single blogs.

    There is a warning that you can’t use it for Multisite Blogs.

    I was wondering if this would be the proper way of doing it manually.

    Create a new super Admin user Login with the new super admin account and make sure you have sup[er Admin status.

    Delete the Admin account and when asked to transfer the posts to you pick the new supper admin name.

    the only thing I have not read about is what happens to the sites under the old super Admin will they get the quest to pick the new owner also?

  • Shawn
    • The Crimson Coder

    Yes that’s the way, but…

    If you use your existing superadmin account to post *content* on any of the sites on your network then that could potentially cause problems with lost or unaffiliated content. It would be best to manually review each site in your network that the existing superadmin account has posted content to and manually change the author for all their posts. In the future, NEVER post content from a superadmin account. This keeps that username out of everywhere that it is likely to be referenced, which means it is far less likely to be bruteforced after a bot cannibalizes common URL patterns to obtain likely usernames. In the case of an account being compromised – it won’t be one with superadmin rights.

    If it seems like a lot of work to use a second account for that purpose, just try to imagine how much work it’s going to be to clean up after a hack. BTDT – and it dwarfs the efforts required to use multiple accounts for site management. And if you use something like RoboForm to manage your logins it takes only a second to switch between accounts. User Switching is very useful in this respect, too.

  • Shawn
    • The Crimson Coder

    I’m sorry, I don’t follow. “It”?

    If you’re asking how to determine which sites you’ve posted as – no, there’s no way to know unless you’ve used something like Post Indexer the *entire* time you’ve run your site. Even then, sometimes things get lost. :slight_frown:

    In order to ensure it’s done completely, you need to check manually. Assuming you’re not posting on dozens or even hundreds of separate blogs, it should be a pretty quick check. Go to the users page of each blog (/wp-admin/users.php) and it shows the author counts. Then go to the Pages page (/wp-admin/edit.php?post_type=page) and look in the Author column. You can do bulk edits on both the Pages and Posts pages to quickly change the author to a new user you’ve created (not the new superadmin, though!).

  • HamRadioDude
    • HummingBird

    no let me explain better

    The sites I created under super admin will there be a question if I want to transfer it to the new Super Admin name

    I just checked and I was going to give you a picture with a list of sites that I created and realized the site that had them I covered back to a regular single blog.

    So I don’t have to worry about that now and the Ham Radio Multi Site I checked and it doesn’t have any blogs under the super admin name so I think I will be goo going to try in the morning let you know how it goes. :>

  • Shawn
    • The Crimson Coder

    Ah – I see. You might want to check the Users page (/wp-admin/network/users.php?sortby=registered&order=asc&apage=1&orderby=id) to see what sites your superadmin is actually a member of so you can ensure you won’t be removing the only user on a blog.

  • Vaughan
    • Support/SLS MockingJay

    reCaptcha is probably better than the rest, but there are other alternatives, such as ones that make you play a quick game or select different colours. however they are all a user inconvenience. unfortunately, they are a necessary evil to protect from spam. personally 1 of the best ways is to disable anonymous comments and only allow comments from registered users. but you still have to be vigilant with member signups.

  • diogenese19348
    • Design Lord, Child of Thor

    I finally got one that actually checked to see who the admins were. One of the reasons I like that Limit Logins plugin is it tells you what account someone is trying to hack. As long as they all said “admin” I wasn’t terribly worried about it. This one, of course, I was.

    I asked Go-Daddy, the host for this particular site, what I could do to block IP’s. Now most of my sites are on hosts that use cpanel, and you can block them directly there. GoDaddy does not have that option on theirs.

    What they told me was to put the following in my .htacess file:

    <Limit GET>

    order allow,deny

    deny from 80.87.128.75

    allow from all

    </Limit>

    Now never one to swear by a report droid’s advice, I read into it further, and while that works, apparently if you are going to deny an IP you might as well deny it everything and you should leave off the limit statements. (That IP BTW IS the offending IP).

    I added a few of the more persistent Dumbbots to the list, particularly those connected to a spam factory in the Ukraine.

    Anybody have anything further to add to this? I’m new at it obviously.

  • Shawn
    • The Crimson Coder

    Change this:

    <Limit GET>

    To this:

    <Limit GET POST>

    Otherwise it won’t actually block the login attempts, only the preliminary checks to harvest any hash keys.

    If you have root access on the server you can add this safety to all sites by blocking the IP addresses at the network level. The specifics on this depend on the OS, but under *nix this is the most common method:

    /sbin/route add -host 80.87.128.75 reject

    You can also block the entire netblock of the offending party by converting it to CIDR notation:

    /sbin/route add -net 80.87.128.0/24 reject

    Similar commands can be done under Windows, but require a little more setup to make them work. If you’re on a Windows machine let me know and I’ll post the steps and a script I wrote to manage it all.

  • Imperative Ideas
    • HummingBird

    @diogenese19348

    Your “offending IP” is likely a bot being run on a compromised site:

    Overview

    IP information for 80.87.128.75

    Resolve Host: isl2.positive-dedicated.net (80.87.128.75)

    IP Location: United Kingdom, Positive Infrastructure (80.87.128.75)

    Reverse IP: 11 sites use this address 80.87.128.75

    Just a guess, but I suspect Jake Jellinek (or any admin) at Positive Internet in the UK would be interested in your report. They’ll track down the bot and kill it.

  • Shawn
    • The Crimson Coder

    @isarmstrong – I used to think the IP admins cared about this sort of thing, too, then I tried contacting a few of them.

    In 20 years and hundreds upon hundreds of attempts at resolving attacks with those tasked with managing the networks who were attacking my servers, I’ve only had two (*2*!) that *ever* replied back favorably. Most of those that do reply are obnoxious to put it politely. I’ve had several threaten to sue *me* because my server “was involved” in the attacks (yes, as the VICTIM) and even had one who ramped up the attacks against my server for more than a month straight using more than 200 different IP’s on the same Class C subnet as “punishment” – I had to get a dedicated firewall to preserve any functionality at all. Heck, back in ’99 my servers were actually targeted by ongoing malware attacks coming directly from **TrustWave** for days straight — who claimed that it was simply a virus-infected server within their network and that they’d “look into it” – a week after reporting it I was still being attacked. Guess why I refuse to acknowledge anything TrustWave says as having any real value?

    Anyway…much of that was before I learned how to use /sbin/route and other netrouting techniques. These days, if it’s a /24 or smaller I don’t waste my time contacting the source – I block it and move on. If it’s a larger network I’ll send a form message to the email address responsible. If they “require” a phone call or postal mail (you wouldn’t believe some of the hoops they expect victims to navigate through) I just block the offending IP and move on.

    And as far as CloudFlare blocking these IP addresses. That’s absolutely fantastic – but the hacking industry moves faster than *any* other industry in the world. And stuff like the global “direct.*” aliasing will eventually be incorporated into these attacks, nullifying CloudFlare’s protection. Sigh.

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.