The news broke in a big way on Friday, April 12th, that a massive attack was underway all over the world, targeting websites running WordPress. Since we have quite a number of customers running SnapEngage on WordPress sites, we wanted to do our part to get the word out. This is a brute-force attack, originating from over 90,000 IP addresses worldwide. (Brute-force attack means the attacking system tries an endless number of common passwords, password variations, and strings of words and numbers in hopes that one of them will work.)
It is important to note that every WordPress-powered website is at risk, large or small. To prove that point: my own mother’s small, Long Island day camp and riding school website, which generates a droplet of traffic in comparison to, say, the SnapEngage website, has been actively under attack since at least Friday afternoon.
Compromised websites are being used to launch further attacks, so protecting yourself will also aid in the larger effort to thwart the massive attack.
Steps you should take immediately to protect yourself:
- Change your WordPress passwords to something super heavy duty, including uppercase and lowercase letters, numbers, and special characters (^%$#&@*). These types of passwords are much more difficult to brute-force.
- Install a WordPress plugin to limit login attempts like, say, the aptly named “Limit Login Attempts” plugin which can be found here.
It appears that the attacks are primarily targeting the “admin” username, as well as: “Admin”; “test”; “administrator”; and “root” . But this is no guarantee that other usernames may not also be attacked at some point.
As for the “why” of the attack, there’s only speculation to be found on that point, and I’ll leave that to the other blogs. But for now, for you, and for everyone you know who might be using WordPress, the important point is to get secure, and keep an eye on the tech blogs as information comes out. I’d recommend both Ars Technica, and the SecuriBlog.
Additional steps you can take:
- There are quite a few WordPress security plugins available, there are pros and cons to each, so I don’t feel comfortable making a blanket recommendation myself, but I will note that some tech blogs are recommending the “Better WP Security” plugin,
- If your “Limit Login Attempts” plugin is reporting an IP address to your email with multiple failed login attempts (which you should set the plugin to do), there’s a good chance that IP address will try again as soon as it is able. To block these IP addresses as they come in, you can copy and paste the following text snippet into your .htaccess file to block the toxic locations from accessing your wp-login page.
- Simply follow the pattern and paste in your own list of IP addresses as reported by “Limit Login Attempts” to mitigate the effects of a given point of attack. (This list comes courtesy of our own webhost, WPEngine, and reports from SecuriBlog, so you should leave the current list of blocked IPs in place and make your additions at the end of the list.)
# BEGIN wp-login.php blocks <Files wp-login.php> order allow,deny deny from 18.104.22.168 deny from 22.214.171.124 deny from 126.96.36.199 deny from 188.8.131.52 deny from 184.108.40.206 deny from 220.127.116.11 deny from 18.104.22.168 deny from 22.214.171.124 deny from 126.96.36.199 deny from 188.8.131.52 deny from 184.108.40.206 deny from 220.127.116.11 deny from 18.104.22.168 deny from 22.214.171.124 deny from 126.96.36.199 deny from 188.8.131.52 deny from 184.108.40.206 deny from 220.127.116.11 deny from 18.104.22.168 deny from 22.214.171.124 deny from 126.96.36.199 deny from 188.8.131.52 deny from 184.108.40.206 deny from 220.127.116.11 deny from 18.104.22.168 deny from 22.214.171.124 deny from 126.96.36.199 deny from 188.8.131.52 deny from 184.108.40.206 deny from 220.127.116.11 deny from 18.104.22.168 allow from all </Files> # END wp-login.php blocks
*Note: There is some slight possibility that this list could block a small amount of legitimate traffic, but the SecuriBlog has officially called these IP addresses as the biggest offenders in recent days, so in my personal opinion the potential good outweighs the potential risk.
This will most likely be a long, ongoing attack, so if you haven’t secured your WordPress site yet, now is absolutely the time to do so. It can be a dangerous internet out there, and the “it probably won’t happen to me” mindset is akin to leaving your car unlocked with a computer sitting on the front seat. Take the time to put some safeguards in place.
When those “failed login attempt” emails start pouring in from your “Limit Login Attempts” plugin, you’ll be glad you did.
Stay safe, and please help spread the word.