10 Apr

2013

Recent WordPress Brute Force Attempts and More – Solved!

bruteforce

Update: How our approach to the Global WordPress Brute force attack is better than what we see other hosts now do.

At the time we post this there were not many official statements made by other web hosts, now more than 24 hours later we have seen several official statements how other approach the problem, and we would like to turn your attention to the fact that the solution to the Global WordPress brute force attack, proposed by the majority of the other hosts has some serious limitations. It is based on editing .htaccess files. We believe that this is only a partial fix to the problem. If your host relies only on .htaccess rules to stop the attackers, they actually allow them to reach your server, make requests, process those requests, check whether they should be blocked and then finally reject them. All that causes server load and makes your site slower, even if the brute-force attempt is stopped. Last but not least, this causes problems for the people who don’t know about the attack and only see themselves unable to access their sites.

We at SiteGround have taken a different approach preventing attackers from even reaching the server. This means that no load is caused on the server, no sites are slowed down and all targeted sites are protected in a way that most of our customers won’t even notice the attack!

It seems spammers and hackers didn’t get much sleep the last few weeks. We’re seeing an abnormal amount of hacking and bruteforce attempts towards Joomla and WordPress sites the last two and a half weeks. Additionally, the popular WordPress plugin Social Media Widget was reported to have suddenly started to insert hidden spam SEO links. Solving these problems immediately became our security team’s goal number one. There were some easy solutions like fully restricting the access to the application login forms for the time of the attacks and forceful removal of all faulty plugins. We saw other hosts take these actions. However, we do not like easy security solutions that make customers feel punished, while other people are the real wrong-doers. Guided by this belief we once again solved the problems in our own way – efficiently and at the same time user-friendly.

Issue 1: Brute Force attack to Joomla and WordPress login pages

We started seeing this problem getting bigger than usual two weeks ago. Why is this happening, you would ask? The reason is simple – SPAM (read more about the relationship between spam and hackers). Huge botnets seems to have become quite active recently targetting hosting companies’ IP ranges, discovering Open Source CMSs such as WordPress and Joomla and try to bruteforce their admin password.

We made our customers’ passwords stronger

Bad PasswordsOf course if your admin password is strong enough (such as “hkjJKT689  6&%$khn!“) no bot will EVER find it. However this is not how things work in reality. Just after the bruteforce attempts started two weeks ago I had SG’s security team do our own in-house bruteforcing towards admin passwords for various CMSs. And guess what? There were tons of customers using “admin” as their password. And if you are using “admin” as your password, please DO CHANGE IT NOW since “admin” is one of the first passwords botnets are trying to guess simply because many people are careless about security.  Some of those apps that used a simple password were already hacked and used for spamming when we identified them. This is how we discovered the bruteforce attack was taking place – follow the SPAM trace and you will find the problem ;) So step one was to change all easy passwords we were able to find on various apps and email our clients their new password, as well as an explanation why did we do the change in the first place.

Things got even more serious

Yesterday, on 9th of April, all of a sudden a hundred or so of our servers popped up in our monitoring system with abnormally high load. When we dug into it, we found that ALL our servers in the US are under a brute-force attack that targets WP and Joomla sites. The botnets were using more than 1000 different IP addresses per server (we’ve blocked logins of more than unique 92,000 IPs so far) and tried to guess the passwords at a unique pace. At this point I was furious, now it was not about few websites with weak passwords that were hacked, but about endangering our server performance.  Our goal now became to stop the attack immediately and once for all. Therefore, I gathered the security team and a few moments later we had a temporary solution that took place immediately and an idea how to permanently stop those botnets, forever. I will not go into details in terms of what we did, cause chances are some of those hackers running those same botnets would read it and will try to outsmart us, but the facts show that for the past 12 hours we have blocked more than 15 million bruteforce attempts (That’s A LOT!) towards our clients and our servers are not experiencing any load issues.

Issue 2: WordPress plugin Social Media Widget – gone bad!

Malicious Code InsertedAnother WordPress related SPAM issue that became hot yesterday was the announcement of Sucuri that a popular plugin called Social Media Widget contains a bad (SPAM) code inside it. The Plugin was immediately removed from the WordPress official repository and many hosts forcefully uninstalled it from their customers’ WordPress instances.

What we did instead, was to find all the customers that were using the Social Media Widget and deleted the bad code from their plugin. Additionally, even if someone installs now the plugin we have made a server level fix that will not allow the bad code to execute and add the unwanted spam links to our customers’ websites. Thus the problem was solved without forcing our customers to give up a plugin they have chosen to install and probably need.

Author: Tenko Nikolov

The SiteGround Mastermind

For the last few years Tenko Nikolov has been one of the masterminds behind the success of SiteGround. He has come up with multiple successful strategies for overcoming technical problems and has achieved real business results for SiteGround. His vision and skills have made SiteGround a leading host in terms of technology and platform reliability.

Comments (42):

  1. Francois says:

    Thanks for your vigilance AND for reporting this. It seems like a global problem…. in The Netherlands a few banks got DDoS attacks, one even repeatedly for the past 8 days or so ! National news here !
    Maybe the same virus was used to inject DDos code into many private PC’s and servers?

    Sometimes I really wish I wasn’t as peace loving as I am….. :-(

    Kind regards,
    Francois

  2. Dorian says:

    That is really nice, thank you very much, I have a client on other hosting group and we are having a lot of issues, this definitively will help me to convince him to change to siteground :)

  3. Thierry says:

    Thanks Tenko/Siteground for your good work. Thierry

  4. Karen says:

    THIS is why I require all my clients use Siteground when I design their site. Thanks Siteground. You are all awesome!

  5. Luke says:

    Hi,

    Thanks for the info.

    Are you able to email me with further information on how you have successfully stopped the attack? I work with shared hosting environments, and am having problems with all of the incoming bruteforce requests taking up all the resources.

    Obviously I cannot just set up a for loop to kill wp-login.php processes as that would be a pretty crude and inefficient method, so I’m curious as to what you are doing to protect the shared environment.

    I’m also wondering if this may be related to a recent phishing attack on WordPress domains where the initial malicious file is named star.php and usually located in /wp-content/logs/star.php . It then creates many directories inside of /wp-content/logs/ that contain phishing content.

    • Hristo says:

      Hi Luke,

      I am afraid that we have reached a level of customisation of our services that makes it impossible for someone outside the company to use our security measures. If you’re hosting many sites, maybe you should consider checking our resellers program – that way you won’t have to deal with such issues anymore.

  6. Neil McGuire says:

    Thank you Tenko, one more reason for using SiteGround for hosting. We have been a reseller for several years and have felt that security has been a top priority from you.

    I recently wrote a blog about security, http://allrightwebdesign.org/tips/item/90-website-security, and the hosting company is at the first item discussed.

    Neil

    • Tenko says:

      Thanks for the comment and honest review, Neil! Nice website you have ;) Glad to have you on board!

      Indeed security and performance are categories that we @SiteGround always tried to innovate and be leaders at. I do hope we continue to proove that in the future.

      How do you like our new Reseller Area?

  7. Brian Boyce says:

    Thanks Siteground, Ive only just recently moved over to yourselves but the difference in professionalism and support compared to my previous host is remarkable. Thankfully, being in IT my passwords (much to my wifes dismay) are all 32 character random symbols and alphanumerics)

    Thanks again.

    • Tenko says:

      Thank you for the kind words! And WOW about your password length, I thought I was too paranoid with my passwords of ~24 chars length. ;)

  8. Jeffery Drury says:

    See this is exactly why Siteground ROCKS!

  9. Graeme says:

    This is the reason I am with Siteground! Amazing proactive service to help keep our sites secure longterm.

  10. Rachid says:

    Thank you Siteground team for keeping us informed.
    I have been using your hosting for quite a while now and I am very satisfied with you guys. Keep up the good work !

  11. James Taylor says:

    Thanks for caring about your customers. This is why I have been a siteground customer for more than 6 years.

  12. Nancy says:

    I have had problems with 3 other ISPs who were not very helpful when they suffered similar problems. As a smaller association we seemed to be way down the list when we needed help. One did not even answer emails after awhile.

    Siteground has always been helpful and has solved every problem I have run into. This latest item is one more on a long list of why Siteground is the best!

  13. Sarah says:

    What is the code that we should have servers search for and remove? Does it begin here: 471 $smw_url = “hxxp://i.aaur.net/i.php”;

    Per the link to the Sucuri announcement?

    Thank you!!

    • vaLentin says:

      Hi Sarah,

      The malicious code was inserted inside the following file:

      /full/system/path/to/your/wordpress/site/wp-content/plugins/social-media-widget/social-widget.php

      When you open it (wp-content/plugins/social-media-widget/social-widget.php) if line 471 contains ‘i.aaur.net’ and looks similar to the diff files posted here:

      http://plugins.trac.wordpress.org/changeset?reponame=&new=688632%40social-media-widget%2Ftrunk%2Fsocial-widget.php&old=676169%40social-media-widget%2Ftrunk%2Fsocial-widget.php

      http://plugins.trac.wordpress.org/changeset?reponame=&new=691839%40social-media-widget%2Ftrunk%2Fsocial-widget.php&old=688632%40social-media-widget%2Ftrunk%2Fsocial-widget.php

      then you have a malicious version of the plugin installed on your blog.

      In this case delete everything from line 471 till line 506 or from 471 till 490 depending on the version of your code (they had 2 malicious versions running) and you are all set with this issue.

      Cheers,

      Valentin

  14. Peter says:

    Thanks guys! I’ve been with you for almost a decade now and you’ve never disappointed. The new reseller area is great too. Posts like this help me when I need to convince clients to leave other hosts. Nice work!

  15. Alan says:

    Hi guys – job well done! Congratulations. I have been with SiteGround for 4 years now and have really appreciated the professionalism and the support you guys provide. Keep up the good work!

  16. Rafa says:

    Very impressed with their response.
    Keep up the great work!

  17. Vicki says:

    Just a quick query I have after reading that one Siteground user was having problems in his “shared hosting environment”. Does that mean that WordPress installations in any subdirectories of my account may be at risk, but the main installation is ok?

    • Hristo says:

      No, you should not worry about any of your installations. We’ve filtered this attack on a server revel and your main and all of your sub-installations are safe and secure :)

  18. Emma Pratt says:

    Thanks for this guys, I’ve been reading about it and my mind boggles with what you have to contend with. As with the others above, I continue to stay with you, and refer others -because I can trust you to stay on top of things and respond quickly, cheerfully and effectively when I need help.

    Thanks.

  19. John says:

    Thankyou for your efforts. Until I received your newsletter, I was unaware of this attack so, I am one of those that, thanks to your efforts, did not suffer.

    I do have a question though. Is there some way to allow the USERNAME of the joomla backend to be something other than admin ??? The site that Siteground hosts for me has the username locked as admin Would it not make site hacking even more difficult if these bots had to find both username and password ?????

    John

    • Hristo says:

      Hi,

      Yes, you can make this and actually it’s a very good security practice to have this username changed to a different value. Here is an article on how to change your username to a different value.

      If you experience issues with that, please post a ticket in your Help Desk and my colleagues from the support team will happily assist you further :)

      • John says:

        thank you for the pointer to the admin name change info.. So easy…. no more “admin” on my site :-)

  20. Johnny says:

    Tenko you’re my new hero!!! :-)

  21. Sonal says:

    Thank you Tenko and team. This once again reaffirms for me why Siteground has been the right choice for me.

    I’ve hosted all my websites with Siteground since 2005.

    Would this also explain why during the last 7-10 days Google had nearly stopped indexing both my websites? The traffic for both of my websites has been oscillating quite a bit too.

    Thank you once again, Siteground is awesome!
    Sonal

    • Hristo says:

      Hi Sonal,

      Our filters and measures aren’t affecting the way Google bots crawl your website for sure. Please, take a look at your Google Webmasters Tools account for more information on whether there are some crawling problems with your website. In addition check the crawling speed options and make sure the crawling speed is set to automatic :)

  22. Jeff says:

    Great job guys! Thank you for your honest and elaborate report!

    I recommend Joomla users to install a site protection component: http://extensions.joomla.org/extensions/access-a-security/site-security/site-protection
    It is the least thing you can do to protect your site….

    Best regards,
    Jeff

  23. julien says:

    Great work to you and your team.

    You simply confirmed again that SiteGround is a rock solid hosting company who cares about their clients and infrastructure and not just transferring the problem and blame the clients.

    Thanks again for everything.

  24. Roger Wilkey says:

    I really appreciate this. It is very comforting to know that sites you host are in very good hands. Thanks also for keeping us informed.

    Best wishes

    Roger

  25. Olerato Salepito says:

    Thank you very much siteground for not only thinking customers first, but for also keeping us well informed of whats happeinning behind the scens. Please send us recommendations as to what we, developers, can do to minimise these attacks. Thanks again thats why i choose u out of a million.

  26. Christian Edwin A. says:

    Thanks SiteGround Team for the awesome work.

    Just like the CEO pointed out, a lot of site owners didn’t even know about the attack because the team at SG were on top of the situation.

    You guys are wonderful. Thanks for the good work.

  27. Zev says:

    You guys are awesome! That’s why I’ve been with you for eight years!

  28. Web-Pepper says:

    Fine example of crisis management people, my compliments!
    Keep up that good work!!

  29. Simon says:

    Well done guys!
    Reminds me of an interesting story in Surely You’re Joking, Mr. Feynman, where he tells of government safes at Los Alamos during WWII being mostly still on factory settings that he could crack in minutes!

    Besides that, I have 1 of my 8-9 sites still hosted elsewhere, and discovered the other day that I had over 43,000 spam comments which had been coming in at the rate of 1 per 15 secs. Admittedly, I did forget to require comment moderation, but was this the sort of attack it might have been, or my (above) fault?

    Best wishes to all at SG!

    • Hristo says:

      Hi and thanks for the kind words :)

      I think that your other site has been targeted by a different attack. I’d recommend you to try adding the Akismet plugin to your WordPress site and enable it. If this doesn’t help against spam, maybe you should try different CAPTCHA plugins :)

  30. Erik says:

    Thanks Siteground… After hosting my rather dormant (one page!) company website with Siteground for the past 23 months, I recently made a decision to bring more things to life and have transferred all of my websites from another host to Siteground and to build from there. I’m a small operator with big plans over the coming years and who knows where that will lead me, but for now, I’m a big user of WP! In fact, it’s all I really know at the moment. As such, I’ve had advice to go another way do to the ope source aspect of WP and the hackers out to get it. However, after reading the above and how SG is looking out for me, I feel confident about sticking with WP and moving ahead until I’m ready for something else.

    Thanks… I now feel far more secure in my decision to put all my eggs into the Siteground basket!

  31. Prosenjeet says:

    My site is on WP 3.6. I have the this security plugin installed “Limit Login Attempts”. Yes I too was getting attacks but the plugin kept blocking the IPS.
    Recently around 15th Aug, 2013. My site got hacked (and my “limit login attempt” did not send me any lock out mails).

    What was changed by the hacker?
    It was done by some group which highlighted Islamic messages and they changed the admin user name (which was NOT admin on my site), they changed the admin password (which was not too easy to guess on my site) and they changed the index file of my active theme.

    Can this hack be brute force too or something else?
    Why I ask because generally I get multiple login attempts blocked report by “Limit login Attempts” plugin every time an IP is blocked (set to get blocked in 3 false attempts)

    • Prosenjeet says:

      Opps….I forgot to add. With reference to my last post, my WP site was hacked this way 4 times in 24 hours!

      Admin, please combine my 3 posts (sorry) into 1

    • Hristo says:

      I am afraid that I cannot tell whether your site got hacked via a brute force attack or other method. It might be a vulnerable old plugin or something else. I’d recommend you to contact your hosting support team in order to find more information on that matter.

Favorite Tweets

Facebook

Archive