Attacks on Wordpress, Joomla, Drupal, & Magento

Hey All,

I know many of us use Wordpress and similar CMS for our sites. I just received an email from one of my hosting providers that there have been some strong hacking attacks on hosted platforms.

Below is a link to the blog post from them: http://blog.mochahost.​com …ect-our-sites-against-it/ While I don't use this host for Wordpress, it's probably a good reminder for us all to update our passwords.

HTH.

I got a spam email yesterday but that was all I saw.

Your thread title is misleading and deceptive. It seems to say there has been attacks on....

However, the article you link to is a generic "use strong passwords / secure your sites" article, and as far as I can see, does not report any recent large attack underway.

Picture North Carolina wrote in post #15829755
Your thread title is misleading and deceptive. It seems to say there has been attacks on....

However, the article you link to is a generic "use strong passwords / secure your sites" article, and as far as I can see, does not report any recent large attack underway.

I do not mean to be misleading. My host did indicate in an email that there were currently "new global brute-force attack on against ALL – WordPress, Joomla, and Drupal sites (possibly other) across the entire web hosting industry." This link is to the text of the email I received from my host: http://us5.campaign-archive2.com …d=3e2d18b82b&e=​7a37714434 which indicates that there is currently a brute force attack.

There is indeed an attack underway...

many current news stories - here's one:

http://www2.macleans.c​a …t-by-major-hacker-attack/

Regards,
Jim

Yup, it's live and being exploited. Be sure to update your version of WordPress and changing your passwords is always a good idea.

Personally, I've yet to see this in actual use on any sites for me or my clients... but it looks like your hosting provider is really the one who is going to help alleviate this. Most of the large providers are already on top of this though. I was notified last week by mine.

This is what I received from wordfence:

Dear WordPress Publisher,

If you would like to stop receiving WordPress security alerts and product updates from Wordfence, you can click here. You subscribed to this list via the Wordfence security plugin for WordPress.
I'm sure you've seen the news reports during the last 72+ hours about a "massive" "global" "distributed" brute force attack on WordPress systems.

Brute force attacks are ongoing, and this is simply an increase in frequency. To protect yourself, make sure all default accounts like "admin" have been deleted or renamed and that your passwords are very difficult to guess. A brute-force attack is a relatively unsophisticated attack where one or more remote machines try to guess your password.

The more successful attacks are attacks where a back-door known only to a hacker (a zero day vulnerability) is exploited to gain access to your system without logging in. The Timthumb vulnerability which I discovered and fixed last year is an example of this. I haven't seen any reports of a new "zero day" vulnerability being exploited in this attack.

The nature of the attack does suggest that a large portion of the brute force attacks currently underway may be originating from an individual or a single group. If successful this will result in a single individual or group having access to a large distributed network of compromised WordPress servers on relatively high bandwidth links. They can then launch further attacks from this platform. However, whether the attacks are being orchestrated by one person or one group should not affect how you protect yourself.

In this case:

1. Make sure your "admin" account has been renamed.

2. Make sure all your passwords are difficult to guess.

3. Make sure you've disabled and deleted all unused themes and plugins.

Don't be alarmed if you see an increased flow of login attempts on your Wordfence live traffic screen (The Logins and Logouts panel). As long as your passwords are hard to guess and you've removed the "admin" account, you'll most likely be just fine. If you're bored, you can manually block each malicious IP address using Wordfence, or even block the originating Networks. But I'm not doing this on my personal sites because I have strong passwords and no admin account.

Another good thing to do (I had a neglected site totally attacked and erased by my hosting provider - all unbeknownst to me) is to install a WP Update Notifier plugin. So that you don't have some old version of Wordpress, full of holes, waiting to be exploited. That way, if you aren't visiting your admin site every day, you will still be emailed that Wordpress has an update.

I just love these internet attacks that no none really notices. Its like our color coding system from after 911.

Would this be an orange or a yellow?

Kronie wrote in post #15830732
I just love these internet attacks that no none really notices. Its like our color coding system from after 911.

Would this be an orange or a yellow?

There are a massive amount of attacks that are dangerous but barely noticed. If given access to Thousands of sites with a reasonable crowd draw of a few hundred to a few thousand users daily, then that puts a hacker in a position to do a lot more damage down the road.

There are a few main types that would make an attack like this:
1. Simple 'cause we can' types. Their goal is to gain access, explore, and generally be geeks. Mostly harmless, often helpful.
2. The 'trolls and for the lulz' types, who would want access to such systems to compromise them and cause general havoc.
3. The "strategic stepping stones". The goal for such a simple low level attack is the basis of a larger attack. Setting up a foundation from which to do more damage. Given enough compromised servers under their control, they can quietly set things up to gather more resources, create infection points for another attack where users visiting the site pick something up, actively attacking using the processing and network power provided by the stolen server, etc.

Right but its just being sensationalized across the media just like everything else. I realize that we are in an age where everything is connected and there is a risk of attack but is an attack imminent on my websites? Highly unlikely. Its just more scare tactic reporting.....

Kronie wrote in post #15831042
Right but its just being sensationalized across the media just like everything else. I realize that we are in an age where everything is connected and there is a risk of attack but is an attack imminent on my websites? Highly unlikely. Its just more scare tactic reporting.....

Hi Kronie, Sensationalized?? perhaps that's your opinion - but I see this as a very real threat. I have several Wordpress sites and spent much of one day recently strengthening them. One of the vulnerabilities of stock wordpress sites is that the admin login page is always at the same location which gives an attacker a point to start a brute force password attack.

One of the items that is done when you run the 'Better WP Security' plugin is to move the login page to something other than the default location. Then another item is to lock out an ip address that continually tries to access the old (default) login location. Since doing this, I now see that ALL my sites have been probed. I get emails alerting me to this activity that look like this:

A host, 5.9.112.179(you can check the host at http://ip-adress.com/ip_tracer/5​.9.112.179) has been locked out of the WordPress site at http://www.WEBSITENAME​REMOVED.com until Monday, April 15th, 2013 at 9:54:51 pm UTC due to too many attempts to open a file that does not exist. You may login to the site to manually release the lock if necessary.

Further checks of the logs show active attempts at breaking in.

If my little sites here in nowhere, Canada are being attacked, you can bet others are as well. You ask, "...is an attack imminent on my websites?"

YES.

If you use wordpress, you won't know unless you check your server logs. Has your site been probed? Has someone tried to get in without permission? YES. I'd put money on it.

The 'Better WP Security' plugin is free and doesn't take long to go through and configure. If you don't use it or something similar you'll likely never know when attempts to login have occurred. If you care, my suggestion is to take a few minutes and better protect yourself.

Regards,
Jim

I check my logs regularly. There are always probes trying to hit weak spots. The number of hits actually outnumbers valid visitors. It's not just Wordpress. Another frequent target is PHPAdmin, which is a mySQL web app. Organized crime smells blood in the waters of the internet and are in a food frenzy. The authorities are putting their efforts toward stopping script kiddies and hackers who are embarrassing them instead of going after the guys who are trying to steal our money. Some governments look the other way because it's bringing stolen revenue into their economies. You have to take care of yourself.

whitesell wrote in post #15833305
The 'Better WP Security' plugin is free and doesn't take long to go through and configure. If you don't use it or something similar you'll likely never know when attempts to login have occurred. If you care, my suggestion is to take a few minutes and better protect yourself.

Regards,
Jim

Honestly I have other stuff to worry about than my site being probed and someone trying to hack into my site. I care about successful logins not unsuccessful ones. Probe away....I have had wordpress sites up for years and have never been hacked. Of course now I probably will....

This is exactly what I am talking about. Now there is a plugin and you can be alerted constantly for unauthorized login attempts. Talk about living in fear....Do you really need to know this information that you can do nothing about except worry? Maybe spend more time out shooting and less time worrying about who is trying to log into your site.

That being said I think that moving the login location off the WP URL is a great idea.