Howdie do Turnkey Lovers,

 

I have a quick question for you, have you ever heard of wordpress? My guess is since you’re reading this blog, you’ve heard of wordpress any may even be using on your own website, but for those who are first time readers, I will give a brief overview. Here is a quick overview from WordPress.org:

 

WordPress is web software you can use to create a beautiful website or blog. We like to say that WordPress is both free and priceless at the same time. The core software is built by hundreds of community volunteers, and when you’re ready for more there are thousands of plugins and themes available to transform your site into almost anything you can imagine. Over 60 million people have chosen WordPress to power the place on the web they call “home” — we’d love you to join the family.

 

WordPress is one of the most popular site building pieces of software currently on the internet. Sure, you have Joomla which is almost the same as wordpress, but has slight differences with its configuration. For this article, however, we will be focusing purely on wordpress. As you can see in the overview above, over 60 million people have chosen to use wordpress  which is quite a large pool of users on the internet. Now, what if someone decided to launch an attack on wordpress based sites? They would have a pretty large base of users to attack and could affect hundreds or possibly, thousands of websites. Well, this attack has already happened and still running at this very instance.

 

On an off for the last few months, A botnet of over 90,000 machines, has been attempting to globally brute force and hack into wp-login.php which is the file that WordPress users use to login to WordPress. The attack is sending thousands of requests at one time to attempt to login to your WordPress installation via wp-login.php in an attempt to gain access to make it part of the growing botnet. To shed some light on what a bonet is, directly from Wikipedia:

 

A botnet is a collection of Internet-connected programs communicating with other similar programs in order to perform tasks. This can be as mundane as keeping control of an Internet Relay Chat (IRC) channel, or it could be used to send spam email or participate in distributed denial-of-service attacks. The word botnet is a combination of the words robot and network. The term is usually used with a negative or malicious connotation.

 

Well, you may be wondering, if I have a site on a server with Turnkey Internet, how are my sites being protected?  Since day 1 of the wide scale attacks,  we’ve enabled a server wide ACL that blocks all access to wp-login.php unless the IP is whitelisted. This ACL or access control list, keeps the attack at bay. Due to the fact that the botnet is targeting wp-login.php directly, we can deney all access to users we specifically allow. When the attack runs, our servers return a 403 page and the attack moves on. You may be saying, “Sure, that works, but is there anything that I can do as a client on my end to help relieve the attack?’

 

Listed below is the recommended code that you add to your sites .htaccess file in your public_html folder to add an extra layer of security (you’ll need to edit ‘example.com’ to be the domain you are setting it up on):

 

<IfModule mod_rewrite.c>

RewriteEngine On

RewriteCond %{REQUEST_METHOD} POST

RewriteCond %{REQUEST_URI} .(wp-comments-post|wp-login)\.php*

RewriteCond %{HTTP_REFERER} !.*example.com.* [OR]

RewriteCond %{HTTP_USER_AGENT} ^$

RewriteRule (.*) http://%{REMOTE_ADDR}/$ [R=301,L]

</ifModule>

 

This in conjunction with our ACL will prevent the attack from affecting your site(s).

 

Additional recommendations:

-Changing your default admin username for wp-admin to a different username as the attack is specifically targeting the admin username.

 

-Placing a browser-based password on wp-login.php

 

The link immediately below will explain how to do this:

http://codex.wordpress.org/Brute_Force_Attacks#Password_Protect_wp-login.php

 

Additional information about the attack can be found here:

http://blog.skunkworks.ca/brute-force-attack-targeting-sites-running-wordpress/

http://www.inmotionhosting.com/support/news/general/wp-login-brute-force-attack

 

Using the tips we’ve provided above, this will help to keep the attack from affecting your site. It will also increase the security of your wordpress based site as well. We hope this will help all clients and not just those at Turnkey Internet, but any client globally who may be having issues with the wordpress attack on their sites.

 

Until next time