Archive for the ‘Wordpress Security’ Category

Worldwide Brute-Force Attack on WordPress Sites

Published by Baden Maxwell on April 21st, 2013 - in Wordpress Security

On April 11th, there was a worldwide, highly distributed WordPress attack, leaving scores of WordPress powered websites vulnerable and under threat from a massive brute-force botnet.
Wordpress Logoin Crosshairs  image
Thousands of sites using the WordPress system have been targeted in an extremely well-organized attempt to obtain admin entry by using brute-force methods (continual multiple login and password cracking attempts).

The sites that are the easiest targets and most at risk – and the ones that are consistently being compromised – are sites using the default username “admin”, sites that DO NOT have even basic security measures in place, and any sites that are unmaintained or running out-of-date extensions and plugins. The lack of basic security precautions, and inconsistent or nonexistent maintenance and updating is a major concern, and any business using the WordPress application needs to seriously evaluate its website security practices if they aren’t implementing effective measures.

Analysts are also warning that this may only be the beginning, as announcements from the group claiming responsibility for these botnet attacks, warn that they are continuing to evolve and broaden the botnet’s targeting focus.

Major tech and online security companies fear that the attackers are at this moment, working on building an even bigger botnet, one that is far more powerful than anything ever seen before.

To date, it has been reported that over 90,000 compromised IP addresses are being used to launch these attacks, with thousands upon thousands of passwords being used by these IP’s to hack into their targets.

For now, the botnet is limited to only using home PCs to spread its infection. However, reports from major hosting companies have confirmed that the attackers are targeting WordPress installations on nearly every web-host in existence, and are now attempting to use the powerful hosting servers to launch a much stronger botnet. Matthew Prince, CEO of CloudFlare, wrote;

“These larger machines can cause much more damage in DDoS attacks because the servers have large network connections and are capable of generating significant amounts of traffic.”

Prince referenced the “itsoknoproblembro”, or “Brobot”, botnet that started launching DDoS (distributed-denial-of-service) attacks in Sep 2012 against many major US Banks, including Bank of America, U.S. Bank, Wells Fargo and more.

HostGator has confirmed that they are a major target, with over 90,000 IP addresses targeting their WordPress machines, with many other major global hosting companies experiencing similar targeted attacks as well. Read Hostgators’ Sean Valants blog post about this brute-force flood.

As expected, the global hosting industry is working with their clients to launch counter-strike and anti-strike measures to combat this threat. But until the true extent of this threat is known, many WordPress users will find themselves extremely vulnerable in the interim.

So, what can you as a WordPress user do to ensure your safety and security?

As we said earlier, it seems the botnet is targeting sites using the “admin” username – for now! So the absolute bare minimum you need to do IMMEDIATELY, is change your password if you’re using that username. Even if your username isn’t “admin”, it’s still highly recommended that you change your password as well.

We recommend using a password that contains AT LEAST, 8 characters, with a broad mixture of letters (upper & lower case), numbers and special characters (#@&*^). Your aim is to make your password extremely difficult to crack using known dictionary words or letter/number combinations.

Once you have established a high-level secure password, it’s essential that you change your login username ASAP. For an in-depth tutorial on how to perform this task properly, CLICK HERE. If you have a webmaster that performs all your backend admin tasks, you’ll need to contact them ASAP to get this done immediately.

You should also consider installing a login attempt limiter plugin on your site. We use Limit Login Attempts on all of our sites and give it high recommendations.

As another security precaution, we also recommend you follow Hostgators procedure for WordPress Login protection measures (you don’t need to be a Hostgator customer, as long as you have cPanel access on your hosting account you’ll be able to follow the steps). CLICK HERE to follow their step-by-step procedure.

For more information on the vulnerabilities of WordPress-powered websites, check out our informative article HERE.

You can also get in touch with us and we’ll be more than happy to help you secure your site, or guide you in the right direction to get your online presence protected. VIEW OUR WP SECURITY SERVICE.

We hope that your website and online presence is secure, and that if it isn’t, you’re not affected by this henious botnet attack. If you do plan on using WordPress again in the future, ALWAYS remember to change your username from the default “admin”, and choose a password that is extremely difficult to crack.

All the best


Related News
New DDoS Attacks Hit Game Sites

DDoS Attacks on Major US Banks Resurface

DDoS Attacks Against US Banks Peaked at 60Gbps

Lessons Learned from the US Financial Sector DDoS Attacks


WordPress Sites – Key Indicators of Security

Published by Baden Maxwell on February 8th, 2013 - in Wordpress Security


WordPress – The Powerhouse of Website Management Systems!


Wordpress Site Security

WordPress has become a powerhouse in website content management systems and for good reason. The platform is FREE to use, has been programmed and continually updated with extremely clean coding and built specifically to be as search engine friendly as possible.

Besides these attractive qualities, WordPress is extremely easy to use, easy to edit, simple to teach others how to manage and comes packed with thousands of FREE themes, plugins and capabilities. It’s no wonder it has become one of the leading content management systems on Earth, and is used by millions of individuals, businesses and corporations to project their online presence.


Vital Flaws


However, there are some major flaws in the default WordPress file configurations and settings, and alarmingly, not many users – many of them webmasters and designers – are even aware of the inherent security risks in this major platform.

If YOUR website is powered by WordPress and you, or whoever built your site is NOT aware of these security flaws, your online presence, information and business is extremely insecure, unprotected and vulnerable to attack from hackers, site spies and website hijackers.

If immediate action isn’t taken to rectify your security issues, sooner or later you may find your site hacked, infected with malware, spyware or viruses, and that Google and the other major search engines have deemed it UNSAFE for browsing and completely de-index you.

And that’s just the beginning – because if your site HAS been breached, you’ll more than likely find that confidential personal, business and/or financial information may have been stolen and exploited from right under your nose!


The Key Indicators of Weak Security


We want to share with you the 4 Key Indicators that we use to evaluate whether a site has at least a basic level of security. Use this information so that you can quickly check your own security levels and determine whether you need to address any issues your site may have.


  • 1. Is Wp-config.php Accessible?


    A common and EXTREMELY DANGEROUS mistake made by most WP users, is to leave the wp-config.php file in the root (public) directory, which is highly insecure and makes this file publicly accessible and readable with the right tools. The wp-config.php file contains your site’s operating database username and password information.

    To check whether your wp-config file is secure or not, type: (your web address) into your web browser address bar.

    If the page that appears returns a 404 ERROR message, then congratulations, you or your webmaster has done a good job!

    However, if the page is BLANK, the news is NOT good. You may think because the page is blank that there is nothing there, but in actual fact, the SCREEN is only blank, but the file IS readable. Meaning your wp-config file can be read and all of your vital information accessed.


  • 2. Is Login.php Available and Returning Error Messages?


    This is another very common and dangerous mistake many WordPress users make. Wp-login.php does NOT need to be publicly accessible and should NOT return ANY error messages. Unless you are running a membership area in your website, your login page shouldn’t be publicly accessible.

    The reason NO error messages should be returned, is because these messages give hackers information to work with.

    An extremely dangerous mistake to make is to keep your username as the default admin name. When this is used, all that a hacker has to do is try admin (which is highly possible considering it’s the default setting) along with any password on login, and if your login page is returning messages, it will tell them either ERROR: Incorrect password., or ERROR: Incorrect password for username admin. Meaning, they now KNOW your username and can use an automated program to easily crack your password.

    To check your login page, either pull it up or type: into your address bar. Now try logging in with incorrect details to see if any messages are being returned. If you see ANY error messages – especially the two from above if you use admin – your site is terribly vulnerable.


  • 3. Is Readme.html Available?


    The readme.html file contains information about your current WordPress installation, and allows people to see which version is currently installed on your website. The danger of this is that hackers may be aware of known exploits for your WP version and find a vulnerability to target.

    There is absolutely NO valid use for a readme.html file and it should be removed immediately.

    To check if readme.html is available, type: into your address bar. This file will appear onscreen if it is still available.


  • 4. Is The Installation Script Still Available?


    Once again, one of the most common and dangerous errors we see with WordPress sites, is NOT removing the installation script from the file folder. Once WP has been installed and/or updated, there is no longer a valid use for the script and it should be removed immediately.

    If this file is still available, chances are that it will still be EXECUTABLE as well. This gives hackers the ability to re-install a new site along with completely different execution details like usernames and passwords, effectively locking you out of your own domain.

    Or they could just destroy your entire website with the click of a button if they wished!

    To check for the installation script, type: If it is still available an Already Installed message will appear.


    Unfortunately, every time WP is updated to the current version, it re-installs and replaces almost ALL of the files that were previously secured, rendering your site insecure once again.

    Website security is an on-going task that requires consistent, periodic updating and re-securing.

    We strongly suggest you seriously consider the security of your WP website, and remain vigilant in your efforts to keep your online business, presence and capabilities fully protected and secure.

    Click Here for more information about our WP Security Services or Contact Us Today for a friendly NO OBLIGATION chat to see if we can help you address your site security issues and protect YOUR online business!


    © iWEB Marketing NZ
    All Rights Reserved 2013.