Update: How our approach to the Global WordPress Brute force attack is better than what we see other hosts now do.
At the time we post this there were not many official statements made by other web hosts, now more than 24 hours later we have seen several official statements how other approach the problem, and we would like to turn your attention to the fact that the solution to the Global WordPress brute force attack, proposed by the majority of the other hosts has some serious limitations. It is based on editing .htaccess files. We believe that this is only a partial fix to the problem. If your host relies only on .htaccess rules to stop the attackers, they actually allow them to reach your server, make requests, process those requests, check whether they should be blocked and then finally reject them. All that causes server load and makes your site slower, even if the brute-force attempt is stopped. Last but not least, this causes problems for the people who don't know about the attack and only see themselves unable to access their sites.
We at SiteGround have taken a different approach preventing attackers from even reaching the server. This means that no load is caused on the server, no sites are slowed down and all targeted sites are protected in a way that most of our customers won't even notice the attack!
It seems spammers and hackers didn't get much sleep the last few weeks. We're seeing an abnormal amount of hacking and bruteforce attempts towards Joomla and WordPress sites the last two and a half weeks. Additionally, the popular WordPress plugin Social Media Widget was reported to have suddenly started to insert hidden spam SEO links. Solving these problems immediately became our security team's goal number one. There were some easy solutions like fully restricting the access to the application login forms for the time of the attacks and forceful removal of all faulty plugins. We saw other hosts take these actions. However, we do not like easy security solutions that make customers feel punished, while other people are the real wrong-doers. Guided by this belief we once again solved the problems in our own way – efficiently and at the same time user-friendly.
Issue 1: Brute Force attack to Joomla and WordPress login pages
We started seeing this problem getting bigger than usual two weeks ago. Why is this happening, you would ask? The reason is simple - SPAM (read more about the relationship between spam and hackers). Huge botnets seems to have become quite active recently targetting hosting companies' IP ranges, discovering Open Source CMSs such as WordPress and Joomla and try to bruteforce their admin password.
We made our customers’ passwords stronger
Of course if your admin password is strong enough (such as "hkjJKT689 6&%$khn!") no bot will EVER find it. However this is not how things work in reality. Just after the bruteforce attempts started two weeks ago I had SG's security team do our own in-house bruteforcing towards admin passwords for various CMSs. And guess what? There were tons of customers using "admin" as their password. And if you are using "admin" as your password, please DO CHANGE IT NOW since "admin" is one of the first passwords botnets are trying to guess simply because many people are careless about security. Some of those apps that used a simple password were already hacked and used for spamming when we identified them. This is how we discovered the bruteforce attack was taking place - follow the SPAM trace and you will find the problem 😉 So step one was to change all easy passwords we were able to find on various apps and email our clients their new password, as well as an explanation why did we do the change in the first place.
Things got even more serious
Yesterday, on 9th of April, all of a sudden a hundred or so of our servers popped up in our monitoring system with abnormally high load. When we dug into it, we found that ALL our servers in the US are under a brute-force attack that targets WP and Joomla sites. The botnets were using more than 1000 different IP addresses per server (we've blocked logins of more than unique 92,000 IPs so far) and tried to guess the passwords at a unique pace. At this point I was furious, now it was not about few websites with weak passwords that were hacked, but about endangering our server performance. Our goal now became to stop the attack immediately and once for all. Therefore, I gathered the security team and a few moments later we had a temporary solution that took place immediately and an idea how to permanently stop those botnets, forever. I will not go into details in terms of what we did, cause chances are some of those hackers running those same botnets would read it and will try to outsmart us, but the facts show that for the past 12 hours we have blocked more than 15 million bruteforce attempts (That's A LOT!) towards our clients and our servers are not experiencing any load issues.
Issue 2: WordPress plugin Social Media Widget - gone bad!
Another WordPress related SPAM issue that became hot yesterday was the announcement of Sucuri that a popular plugin called Social Media Widget contains a bad (SPAM) code inside it. The Plugin was immediately removed from the WordPress official repository and many hosts forcefully uninstalled it from their customers’ WordPress instances.
What we did instead, was to find all the customers that were using the Social Media Widget and deleted the bad code from their plugin. Additionally, even if someone installs now the plugin we have made a server level fix that will not allow the bad code to execute and add the unwanted spam links to our customers’ websites. Thus the problem was solved without forcing our customers to give up a plugin they have chosen to install and probably need.