My blog doesn’t use admin account, but this has given me a kick up the arse to get it updated to the most recent release...*Sigh*
SWARMS of ZOMBIES unleashed on innocent bloggers
Hosting providers are reporting a major upsurge in attempts to hack into blogs and content management systems late last week, with WordPress installations bearing the brunt of the hackers' offensive. WordPress installations across the world were hit by a brute force botnet attack, featuring attempts to hack into installations …
-
-
Tuesday 16th April 2013 08:18 GMT Anonymous Coward
A quick fix
A quick fix is to install the Better WP Security plugin and configure it to:
1) Move the login and admin pages from the default location to somewhere else
2) Set up automatic banning on multiple 404 errors or failed logins from the same IP address
And of course to rename the admin username.
I had login attempts from over 100 separate IP addresses in a 10 minute period in the early hours of Monday morning, thankfully I had already made those changes.
-
-
Tuesday 16th April 2013 08:21 GMT frank fegert
More the "just" attacks against WP going ATM?
I've also noticed a recent upspike in user registration/login attempts towards DokuWiki based sites. The sources of the attempts are from all over the world, mostly from hosting providers, mostly Linux/Apache systems. I wonder if there is a connection between this, the WP attacks and the malicious Apache module injecting rogue iframes in the data-stream?
-
Tuesday 16th April 2013 08:21 GMT Anonymous Coward
2 important steps to take...
Actually, fellow WordPress users could consider to resort to only 1 step: download & install Better WP Security (link to plugin page).
When I started using WP the first thing I did was rename the admin account; I do that on all environments I use (including my Win7 desktop and my Windows servers). And then I discovered this critter which also checks for this and a whole lot more...
It will help you enforce stronger passwords, rename the admin account, perform intrusion detection (x number of wrong login attempts results in banning the IP address (or an even wider range)), but also help you with suggesting how you could make the thing even more secure.
It goes pretty far, even a bit too far for my liking, but even so it's also very honest. Some options ("You should rename the wp-content directory of your site") are very plausible enhancements, but they come with risks since other plugins may depend on that directory being present. And as they should they also warn for that.
From hiding your backend, to logon limitations, intrusion detection right down to a nice log page which will show you how the bad guys tried to gain access.
This is one of those plugins which I consider to be a must-have if you're on WordPress.
-
Tuesday 16th April 2013 10:52 GMT FutureShock999
Re: 2 important steps to take...
I had three joomla sites get hacked recently (they were older, on Joomla 1.5), so moved to WP. And discovered Better WP Security immediately. Made me glad I changed. Joomla is much better for building more complicated sites, but the availability of such a comprehensive security plug-in for WP makes up for that. Great tool, worthy of support. No, I am not the author... :-P
-
-
Tuesday 16th April 2013 08:36 GMT g e
Having used Wordpress for the last 6+ months with my current client
I can safely say I am SO glad I use Concrete5 for my own projects.
WP is hideous and has so little out-of-the-box get-stuff-done functionality with any plugins you may want to install having never been code-reviewed or security-checked by anyone other than the person (and their commensurate skills) that coded it. God forbid you ever want to move it onto another server as its own import/export stuff cannot be relied upon so you even need a third party plugin to achieve that (which I'm spending today evaluating), unless you really like having to go through the database to do string replaces where it's written its damned site domain into data.
I'm utterly unsurprised it's a popular attack vector and would never ever dare recommend a client used it for anything.
-
-
-
Tuesday 16th April 2013 10:38 GMT Mr Spock
Re: "innocent blogger"
You make some very valid points. Thanks! I will be reading again.
Zombie insurance zombie insurance zombie repellent zombie repellent zombie casino zombie viagra zombie satellite dishes zombie cheating wives zombie insurance zombie insurance zombie repellent zombie repellent zombie casino zombie viagra zombie satellite dishes zombie cheating wives zombie insurance zombie insurance zombie repellent zombie repellent zombie casino zombie viagra zombie satellite dishes zombie cheating wives
-
Tuesday 16th April 2013 12:12 GMT Ian 55
Yeah, yeah Matt - get some things right from the start
The number of versions of WP that gave the initial account the default username of 'Admin' is disgracefully high.
It is even worse how the basic WP install does not do 'fail to get the password in n (for low n) attempts and your IP is banned for m hours (for high m)', and you have to rely on a plugin to do it for you. Limit Login Attempts is my recommendation, as it just does this, without the messing around with everything it can find of the one mentioned above.
-
Tuesday 16th April 2013 22:22 GMT Trev 2
Why Wordpress - it gives really easy PHP uploads
For login security, Limit Login Attempts plugin seems pretty good and you can lock people out for a long time with it. Not perfect when they're hitting from different IPs however. Still baffles me as to why the default doesn't include that.
One really dumb thing about WP is that you cant easily change the admin account name which was until recently also the default. Can't actually remember if you could select another name, but that's why so many have admin as a name. Either needs a plugin or database editing.
As for why hit Wordpress - going by a hack I saw a month ago it could work something like:
- Hack into the Wordpress admin account
- Go to plugins -> upload a PHP script pretending to be a plugin.
- While it's waiting to install the "plugin", it puts the PHP file in a public directory not /tmp!
- Said script is now available at example.com/blog/wp-uploads/evilscript.php from memory.
No messy FTP details required, just access to the WP blog admin account and you're sorted. The one I saw even upgraded itself as required so I'm sure any new ones will too.
-
Wednesday 17th April 2013 10:35 GMT Ian 55
Re: Why Wordpress - it gives really easy PHP uploads
Yep to the first two paragraphs. You could change the default when you created the initial account, but lots of people didn't.
If they've got administrator account, you're shagged anyway.
The other perennial WP issue is the 'non admin users can gain admin rights' exploit. There's been about one a year for ages.
-