Security Alert: WordPress websites worldwide are under attack

wordpress-logo-notext-rgbThe news broke in a big way on Friday, April 12th, that a massive attack was underway all over the world, targeting websites running WordPress. Since we have quite a number of customers running SnapEngage on WordPress sites, we wanted to do our part to get the word out. This is a brute-force attack, originating from over 90,000 IP addresses worldwide. (Brute-force attack means the attacking system tries an endless number of common passwords, password variations, and strings of words and numbers in hopes that one of them will work.)

It is important to note that every WordPress-powered website is at risk, large or small. To prove that point: my own mother’s small, Long Island day camp and riding school website, which generates a droplet of traffic in comparison to, say, the SnapEngage website, has been actively under attack since at least Friday afternoon.

Compromised websites are being used to launch further attacks, so protecting yourself will also aid in the larger effort to thwart the massive attack.

Steps you should take immediately to protect yourself:
  1. Change your WordPress passwords to something super heavy duty, including uppercase and lowercase letters, numbers, and special characters (^%$#&@*). These types of passwords are much more difficult to brute-force.
  2. Install a WordPress plugin to limit login attempts like, say, the aptly named “Limit Login Attempts” plugin which can be found here.

It appears that the attacks are primarily targeting the “admin” username, as well as: “Admin”; “test”; “administrator”; and “root” . But this is no guarantee that other usernames may not also be attacked at some point.

As for the “why” of the attack, there’s only speculation to be found on that point, and I’ll leave that to the other blogs. But for now, for you, and for everyone you know who might be using WordPress, the important point is to get secure, and keep an eye on the tech blogs as information comes out. I’d recommend both Ars Technica, and the SecuriBlog.

Additional steps you can take:
  1. There are quite a few WordPress security plugins available, there are pros and cons to each, so I don’t feel comfortable making a blanket recommendation myself, but I will note that some tech blogs are recommending the “Better WP Security” plugin,
  2. If your “Limit Login Attempts” plugin is reporting an IP address to your email with multiple failed login attempts (which you should set the plugin to do), there’s a good chance that IP address will try again as soon as it is able. To block these IP addresses as they come in, you can copy and paste the following text snippet into your .htaccess file to block the toxic locations from accessing your wp-login page.
  3. Simply follow the pattern and paste in your own list of IP addresses as reported by “Limit Login Attempts” to mitigate the effects of a given point of attack. (This list comes courtesy of our own webhost, WPEngine, and reports from SecuriBlog, so you should leave the current list of blocked IPs in place and make your additions at the end of the list.)
# BEGIN wp-login.php blocks
<Files wp-login.php>
order allow,deny
deny from 31.184.238.38
deny from 178.151.216.53
deny from 91.224.160.143
deny from 195.128.126.6
deny from 85.114.133.118
deny from 177.125.184.8
deny from 89.233.216.203
deny from 89.233.216.209
deny from 109.230.246.37
deny from 188.175.122.21
deny from 46.119.127.1
deny from 176.57.216.198
deny from 173.38.155.22
deny from 67.229.59.202
deny from 94.242.237.101
deny from 209.73.151.64
deny from 212.175.14.114
deny from 78.154.105.23
deny from 50.116.27.19
deny from 195.128.126.114
deny from 78.153.216.56
deny from 31.202.217.135
deny from 204.93.60.182
deny from 173.38.155.8
deny from 204.93.60.75
deny from 50.117.59.3
deny from 209.73.151.229
deny from 216.172.147.251
deny from 204.93.60.57
deny from 94.199.51.7
deny from 204.93.60.185
allow from all
</Files>
# END wp-login.php blocks

*Note: There is some slight possibility that this list could block a small amount of legitimate traffic, but the SecuriBlog has officially called these IP addresses as the biggest offenders in recent days, so in my personal opinion the potential good outweighs the potential risk.

This will most likely be a long, ongoing attack, so if you haven’t secured your WordPress site yet, now is absolutely the time to do so. It can be a dangerous internet out there, and the “it probably won’t happen to me” mindset is akin to leaving your car unlocked with a computer sitting on the front seat. Take the time to put some safeguards in place.

When those “failed login attempt” emails start pouring in from your “Limit Login Attempts” plugin, you’ll be glad you did.

Stay safe, and please help spread the word.