It seems that there is currently a massive attack underway across the internet, with a focus specifically on Wordpress. I first saw this on couple of my own blogs today when trying to access the admin areas, it responds with “Not Acceptable” (Arvixe).
This is apparently affecting many of the bigger services out there, the ones hosting the most WP installs on their systems. There are numerous service providers reporting it, with potentially millions of Wordpress sites currently under attack.
There are suggestions that, if you are able to, you should change your log in details to something more considerable and harder to hack. Those seeing a message such as that issued on the wp-admin by Arvixe should be okay, but if you are able to log in to your admin area you should take precautions to ensure that your log in details are more difficult, prior to the attack hitting your service provider.
This doesn’t seem to be affecting server admin areas, or the delivery of most sites.
Distributed attack against WordPress installations
Iâve received reports about a distributed attack against WordPress installations across the world.
Today, this attack is happening at a global level and wordpress instances across hosting providers are being targeted. Since the attack is highly distributed in nature (most of the IPâs used are spoofed), it is making it difficult for us to block all malicious data.
To ensure that your websites are secure and safeguarded from this attack, we recommend the following steps:
Update and upgrade your wordpress installation and all installed plugins
Install the security plugin listed here
Ensure that your admin password is secure and preferably randomly generated
Other ways of Hardening a WordPress installation are shared at http://codex.wordpress.org/Hardening_WordPress
These additional steps can be taken to further secure wordpress websites:
Disable DROP command for the DB_USER .This is never commonly needed for any purpose in a wordpress setup
Remove README and license files (important) since this exposes version information
Move wp-config.php to one directory level up, and change its permission to 400
Prevent world reading of the htaccess file
Restrict access to wp-admin only to specific IPs
A few more plugins â wp-security-scan, wordpress-firewall, ms-user-management, wp-maintenance-mode, ultimate-security-scanner, wordfence, http://wordpress.org/extend/plugins/better-wp-security/. These may help in several occasions
Ah, it seems we both posted at roughly the same time lol
I was a little surprised by the fact that so little is out there about this. According to several of the hosting companies I’ve checked out, this seems to be unprecedented, and many of them are really struggling to deal with it. This should be pretty big news right now, especially in light of the attack which South Korea blamed on the North last week.
Yeah well, to give you a little history, we recently heard from a major law enforcement agency about a massive attack on US financial institutions originating from our servers.
We did a detailed analysis of the attack pattern and found out that most of the attack was originating from CMSs (mostly wordpress). Further analysis revealed that the admin accounts had been compromised (in one form or the other) and malicious scripts were uploaded into the directories.
So, today we are seeing this “attack” on a global scale.
Is that related to the Russian botnet of recent years? If so I thought the FBI had that under control? Didn’t they have to maintain the DNS system while it was being tracked down and removed, and those not complying would be kicked off line?
We are applying a basic password protection on all default WordPress admin directories. This is in a response to the waive of attacks we are detecting on our network and in the security news world wide.
Attackers are trying to guess the login name and password of your admin page located at:
some_site.com/wp-admin/
To access your WordPress admin, please use the following login and password:
m3server / GoodDay
This will then expose your normal login page to WordPress. Use your existing login, we do not have this information and would never ask you for it unless we were replying to your ticket - so PLEASE do not give it out if someone asks you.
The simple method is to defeat the attack and prevent crashing your server.
We also recommend you follow our support blog’s latest security post for further enhancing your protection:
If you don’t use WordPress, this will not affect you. If you use another CMS or application that has a login directory of this type, such as joomla, you should follow similar security measures to keep your site(s) safe from harm.
I have a plugin on my WP blogs that is called “limit login attempts”.
It blocks any IP address that tries to login but fails to enter the correct password (after 2 tries). It also e-mails a list of blocked IP addresses and the number of attempts. I receive one of those mails every couple of months. This morning, my inbox was full of messages. So, yes they are definitely trying to get in.