Recent WordPress Brute Force Attempts and More – Solved!

bruteforce

Update: How our approach to the Global WordPress Brute force attack is better than what we see other hosts now do.

At the time we post this there were not many official statements made by other web hosts, now more than 24 hours later we have seen several official statements how other approach the problem, and we would like to turn your attention to the fact that the solution to the Global WordPress brute force attack, proposed by the majority of the other hosts has some serious limitations. It is based on editing .htaccess files. We believe that this is only a partial fix to the problem. If your host relies only on .htaccess rules to stop the attackers, they actually allow them to reach your server, make requests, process those requests, check whether they should be blocked and then finally reject them. All that causes server load and makes your site slower, even if the brute-force attempt is stopped. Last but not least, this causes problems for the people who don't know about the attack and only see themselves unable to access their sites.

We at SiteGround have taken a different approach preventing attackers from even reaching the server. This means that no load is caused on the server, no sites are slowed down and all targeted sites are protected in a way that most of our customers won't even notice the attack!

It seems spammers and hackers didn't get much sleep the last few weeks. We're seeing an abnormal amount of hacking and bruteforce attempts towards Joomla and WordPress sites the last two and a half weeks. Additionally, the popular WordPress plugin Social Media Widget was reported to have suddenly started to insert hidden spam SEO links. Solving these problems immediately became our security team's goal number one. There were some easy solutions like fully restricting the access to the application login forms for the time of the attacks and forceful removal of all faulty plugins. We saw other hosts take these actions. However, we do not like easy security solutions that make customers feel punished, while other people are the real wrong-doers. Guided by this belief we once again solved the problems in our own way – efficiently and at the same time user-friendly.

Issue 1: Brute Force attack to Joomla and WordPress login pages

We started seeing this problem getting bigger than usual two weeks ago. Why is this happening, you would ask? The reason is simple - SPAM (read more about the relationship between spam and hackers). Huge botnets seems to have become quite active recently targetting hosting companies' IP ranges, discovering Open Source CMSs such as WordPress and Joomla and try to bruteforce their admin password.

We made our customers’ passwords stronger

Bad PasswordsOf course if your admin password is strong enough (such as "hkjJKT689  6&%$khn!") no bot will EVER find it. However this is not how things work in reality. Just after the bruteforce attempts started two weeks ago I had SG's security team do our own in-house bruteforcing towards admin passwords for various CMSs. And guess what? There were tons of customers using "admin" as their password. And if you are using "admin" as your password, please DO CHANGE IT NOW since "admin" is one of the first passwords botnets are trying to guess simply because many people are careless about security.  Some of those apps that used a simple password were already hacked and used for spamming when we identified them. This is how we discovered the bruteforce attack was taking place - follow the SPAM trace and you will find the problem 😉 So step one was to change all easy passwords we were able to find on various apps and email our clients their new password, as well as an explanation why did we do the change in the first place.

Things got even more serious

Yesterday, on 9th of April, all of a sudden a hundred or so of our servers popped up in our monitoring system with abnormally high load. When we dug into it, we found that ALL our servers in the US are under a brute-force attack that targets WP and Joomla sites. The botnets were using more than 1000 different IP addresses per server (we've blocked logins of more than unique 92,000 IPs so far) and tried to guess the passwords at a unique pace. At this point I was furious, now it was not about few websites with weak passwords that were hacked, but about endangering our server performance.  Our goal now became to stop the attack immediately and once for all. Therefore, I gathered the security team and a few moments later we had a temporary solution that took place immediately and an idea how to permanently stop those botnets, forever. I will not go into details in terms of what we did, cause chances are some of those hackers running those same botnets would read it and will try to outsmart us, but the facts show that for the past 12 hours we have blocked more than 15 million bruteforce attempts (That's A LOT!) towards our clients and our servers are not experiencing any load issues.

Issue 2: WordPress plugin Social Media Widget - gone bad!

Malicious Code InsertedAnother WordPress related SPAM issue that became hot yesterday was the announcement of Sucuri that a popular plugin called Social Media Widget contains a bad (SPAM) code inside it. The Plugin was immediately removed from the WordPress official repository and many hosts forcefully uninstalled it from their customers’ WordPress instances.

What we did instead, was to find all the customers that were using the Social Media Widget and deleted the bad code from their plugin. Additionally, even if someone installs now the plugin we have made a server level fix that will not allow the bad code to execute and add the unwanted spam links to our customers’ websites. Thus the problem was solved without forcing our customers to give up a plugin they have chosen to install and probably need.

The SiteGround Mastermind

For the last few years Tenko Nikolov has been one of the masterminds behind the success of SiteGround. He has come up with multiple successful strategies for overcoming technical problems and has achieved real business results for SiteGround. His vision and skills have made SiteGround a leading host in terms of technology and platform reliability.

42 Comments

  1. Reply April 10, 2013 / 12:19 FrancoisSiteGround Team

    Thanks for your vigilance AND for reporting this. It seems like a global problem.... in The Netherlands a few banks got DDoS attacks, one even repeatedly for the past 8 days or so ! National news here !
    Maybe the same virus was used to inject DDos code into many private PC's and servers?

    Sometimes I really wish I wasn't as peace loving as I am..... :-(

    Kind regards,
    Francois

  2. Reply April 10, 2013 / 12:22 DorianSiteGround Team

    That is really nice, thank you very much, I have a client on other hosting group and we are having a lot of issues, this definitively will help me to convince him to change to siteground :)

  3. Reply April 10, 2013 / 13:11 ThierrySiteGround Team

    Thanks Tenko/Siteground for your good work. Thierry

  4. Reply April 11, 2013 / 14:36 KarenSiteGround Team

    THIS is why I require all my clients use Siteground when I design their site. Thanks Siteground. You are all awesome!

  5. Reply April 11, 2013 / 14:48 LukeSiteGround Team

    Hi,

    Thanks for the info.

    Are you able to email me with further information on how you have successfully stopped the attack? I work with shared hosting environments, and am having problems with all of the incoming bruteforce requests taking up all the resources.

    Obviously I cannot just set up a for loop to kill wp-login.php processes as that would be a pretty crude and inefficient method, so I'm curious as to what you are doing to protect the shared environment.

    I'm also wondering if this may be related to a recent phishing attack on WordPress domains where the initial malicious file is named star.php and usually located in /wp-content/logs/star.php . It then creates many directories inside of /wp-content/logs/ that contain phishing content.

    • Reply April 12, 2013 / 04:01 HristoSiteGround Team

      Hi Luke,

      I am afraid that we have reached a level of customisation of our services that makes it impossible for someone outside the company to use our security measures. If you're hosting many sites, maybe you should consider checking our resellers program - that way you won't have to deal with such issues anymore.

  6. Reply April 12, 2013 / 09:23 Neil McGuireSiteGround Team

    Thank you Tenko, one more reason for using SiteGround for hosting. We have been a reseller for several years and have felt that security has been a top priority from you.

    I recently wrote a blog about security, http://allrightwebdesign.org/tips/item/90-website-security, and the hosting company is at the first item discussed.

    Neil

    • Reply April 12, 2013 / 11:06 TenkoSiteGround Team

      Thanks for the comment and honest review, Neil! Nice website you have 😉 Glad to have you on board!

      Indeed security and performance are categories that we @SiteGround always tried to innovate and be leaders at. I do hope we continue to proove that in the future.

      How do you like our new Reseller Area?

  7. Reply April 12, 2013 / 09:26 Brian BoyceSiteGround Team

    Thanks Siteground, Ive only just recently moved over to yourselves but the difference in professionalism and support compared to my previous host is remarkable. Thankfully, being in IT my passwords (much to my wifes dismay) are all 32 character random symbols and alphanumerics)

    Thanks again.

    • Reply April 12, 2013 / 11:09 TenkoSiteGround Team

      Thank you for the kind words! And WOW about your password length, I thought I was too paranoid with my passwords of ~24 chars length. 😉

  8. Reply April 12, 2013 / 10:49 Jeffery DrurySiteGround Team

    See this is exactly why Siteground ROCKS!

  9. Reply April 12, 2013 / 10:53 GraemeSiteGround Team

    This is the reason I am with Siteground! Amazing proactive service to help keep our sites secure longterm.

  10. Reply April 12, 2013 / 11:02 RachidSiteGround Team

    Thank you Siteground team for keeping us informed.
    I have been using your hosting for quite a while now and I am very satisfied with you guys. Keep up the good work !

  11. Reply April 12, 2013 / 11:11 James TaylorSiteGround Team

    Thanks for caring about your customers. This is why I have been a siteground customer for more than 6 years.

  12. Reply April 12, 2013 / 11:30 NancySiteGround Team

    I have had problems with 3 other ISPs who were not very helpful when they suffered similar problems. As a smaller association we seemed to be way down the list when we needed help. One did not even answer emails after awhile.

    Siteground has always been helpful and has solved every problem I have run into. This latest item is one more on a long list of why Siteground is the best!

  13. Reply April 12, 2013 / 11:48 SarahSiteGround Team

    What is the code that we should have servers search for and remove? Does it begin here: 471 $smw_url = "hxxp://i.aaur.net/i.php";

    Per the link to the Sucuri announcement?

    Thank you!!

  14. Reply April 12, 2013 / 13:28 PeterSiteGround Team

    Thanks guys! I've been with you for almost a decade now and you've never disappointed. The new reseller area is great too. Posts like this help me when I need to convince clients to leave other hosts. Nice work!

  15. Reply April 12, 2013 / 14:16 AlanSiteGround Team

    Hi guys - job well done! Congratulations. I have been with SiteGround for 4 years now and have really appreciated the professionalism and the support you guys provide. Keep up the good work!

  16. Reply April 12, 2013 / 14:23 RafaSiteGround Team

    Very impressed with their response.
    Keep up the great work!

  17. Reply April 12, 2013 / 14:53 VickiSiteGround Team

    Just a quick query I have after reading that one Siteground user was having problems in his "shared hosting environment". Does that mean that WordPress installations in any subdirectories of my account may be at risk, but the main installation is ok?

    • Reply April 13, 2013 / 07:21 HristoSiteGround Team

      No, you should not worry about any of your installations. We've filtered this attack on a server revel and your main and all of your sub-installations are safe and secure :)

  18. Reply April 12, 2013 / 14:56 Emma PrattSiteGround Team

    Thanks for this guys, I've been reading about it and my mind boggles with what you have to contend with. As with the others above, I continue to stay with you, and refer others -because I can trust you to stay on top of things and respond quickly, cheerfully and effectively when I need help.

    Thanks.

  19. Reply April 12, 2013 / 16:24 JohnSiteGround Team

    Thankyou for your efforts. Until I received your newsletter, I was unaware of this attack so, I am one of those that, thanks to your efforts, did not suffer.

    I do have a question though. Is there some way to allow the USERNAME of the joomla backend to be something other than admin ??? The site that Siteground hosts for me has the username locked as admin Would it not make site hacking even more difficult if these bots had to find both username and password ?????

    John

    • Reply April 13, 2013 / 07:19 HristoSiteGround Team

      Hi,

      Yes, you can make this and actually it's a very good security practice to have this username changed to a different value. Here is an article on how to change your username to a different value.

      If you experience issues with that, please post a ticket in your Help Desk and my colleagues from the support team will happily assist you further :)

      • April 17, 2013 / 19:39 JohnSiteGround Team

        thank you for the pointer to the admin name change info.. So easy.... no more "admin" on my site :-)

  20. Reply April 12, 2013 / 18:07 JohnnySiteGround Team

    Tenko you're my new hero!!! :-)

  21. Reply April 12, 2013 / 19:07 SonalSiteGround Team

    Thank you Tenko and team. This once again reaffirms for me why Siteground has been the right choice for me.

    I've hosted all my websites with Siteground since 2005.

    Would this also explain why during the last 7-10 days Google had nearly stopped indexing both my websites? The traffic for both of my websites has been oscillating quite a bit too.

    Thank you once again, Siteground is awesome!
    Sonal

    • Reply April 13, 2013 / 07:53 HristoSiteGround Team

      Hi Sonal,

      Our filters and measures aren't affecting the way Google bots crawl your website for sure. Please, take a look at your Google Webmasters Tools account for more information on whether there are some crawling problems with your website. In addition check the crawling speed options and make sure the crawling speed is set to automatic :)

  22. Reply April 12, 2013 / 19:26 JeffSiteGround Team

    Great job guys! Thank you for your honest and elaborate report!

    I recommend Joomla users to install a site protection component: http://extensions.joomla.org/extensions/access-a-security/site-security/site-protection
    It is the least thing you can do to protect your site....

    Best regards,
    Jeff

  23. Reply April 13, 2013 / 01:03 julienSiteGround Team

    Great work to you and your team.

    You simply confirmed again that SiteGround is a rock solid hosting company who cares about their clients and infrastructure and not just transferring the problem and blame the clients.

    Thanks again for everything.

  24. Reply April 13, 2013 / 02:47 Roger WilkeySiteGround Team

    I really appreciate this. It is very comforting to know that sites you host are in very good hands. Thanks also for keeping us informed.

    Best wishes

    Roger

  25. Reply April 13, 2013 / 04:42 Olerato SalepitoSiteGround Team

    Thank you very much siteground for not only thinking customers first, but for also keeping us well informed of whats happeinning behind the scens. Please send us recommendations as to what we, developers, can do to minimise these attacks. Thanks again thats why i choose u out of a million.

  26. Reply April 13, 2013 / 08:25 Christian Edwin A.SiteGround Team

    Thanks SiteGround Team for the awesome work.

    Just like the CEO pointed out, a lot of site owners didn't even know about the attack because the team at SG were on top of the situation.

    You guys are wonderful. Thanks for the good work.

  27. Reply April 13, 2013 / 12:13 ZevSiteGround Team

    You guys are awesome! That's why I've been with you for eight years!

  28. Reply April 14, 2013 / 03:06 Web-PepperSiteGround Team

    Fine example of crisis management people, my compliments!
    Keep up that good work!!

  29. Reply April 14, 2013 / 14:02 SimonSiteGround Team

    Well done guys!
    Reminds me of an interesting story in Surely You're Joking, Mr. Feynman, where he tells of government safes at Los Alamos during WWII being mostly still on factory settings that he could crack in minutes!

    Besides that, I have 1 of my 8-9 sites still hosted elsewhere, and discovered the other day that I had over 43,000 spam comments which had been coming in at the rate of 1 per 15 secs. Admittedly, I did forget to require comment moderation, but was this the sort of attack it might have been, or my (above) fault?

    Best wishes to all at SG!

    • Reply April 15, 2013 / 00:45 HristoSiteGround Team

      Hi and thanks for the kind words :)

      I think that your other site has been targeted by a different attack. I'd recommend you to try adding the Akismet plugin to your WordPress site and enable it. If this doesn't help against spam, maybe you should try different CAPTCHA plugins :)

  30. Reply May 2, 2013 / 00:38 ErikSiteGround Team

    Thanks Siteground... After hosting my rather dormant (one page!) company website with Siteground for the past 23 months, I recently made a decision to bring more things to life and have transferred all of my websites from another host to Siteground and to build from there. I'm a small operator with big plans over the coming years and who knows where that will lead me, but for now, I'm a big user of WP! In fact, it's all I really know at the moment. As such, I've had advice to go another way do to the ope source aspect of WP and the hackers out to get it. However, after reading the above and how SG is looking out for me, I feel confident about sticking with WP and moving ahead until I'm ready for something else.

    Thanks... I now feel far more secure in my decision to put all my eggs into the Siteground basket!

  31. Reply August 18, 2013 / 11:48 ProsenjeetSiteGround Team

    My site is on WP 3.6. I have the this security plugin installed "Limit Login Attempts". Yes I too was getting attacks but the plugin kept blocking the IPS.
    Recently around 15th Aug, 2013. My site got hacked (and my "limit login attempt" did not send me any lock out mails).

    What was changed by the hacker?
    It was done by some group which highlighted Islamic messages and they changed the admin user name (which was NOT admin on my site), they changed the admin password (which was not too easy to guess on my site) and they changed the index file of my active theme.

    Can this hack be brute force too or something else?
    Why I ask because generally I get multiple login attempts blocked report by "Limit login Attempts" plugin every time an IP is blocked (set to get blocked in 3 false attempts)

    • Reply August 18, 2013 / 12:01 ProsenjeetSiteGround Team

      Opps....I forgot to add. With reference to my last post, my WP site was hacked this way 4 times in 24 hours!

      Admin, please combine my 3 posts (sorry) into 1

    • Reply August 19, 2013 / 00:50 HristoSiteGround Team

      I am afraid that I cannot tell whether your site got hacked via a brute force attack or other method. It might be a vulnerable old plugin or something else. I'd recommend you to contact your hosting support team in order to find more information on that matter.

Reply

* (Required)