Followup on WordPress Attacks

There has been quite a lot of media buzz about the recent WordPress attacks referred to in my last post. There has also been quite a lot learned about the attacks. I wanted to write this followup to give you the latest information and hopefully relieve some anxiety about them.

What They Were After

At first glance, it appeared that this was a brute-force attack on all possible login/password combinations on WordPress sites. This is not strictly the case. The attack was aimed at common login/password combinations that are known to be insecure. For example, the login “admin” was the most targeted along with commonly used passwords like “admin123”, “password123”, etc. There were other combinations of “admin” probed, as well.

So, the attack was pretty much as follows:

1. Find a WordPress login page by searching for “wp-login.php”
2. Try the first username on a specific list (beginning with “admin”)
3. Try a list of known insecure passwords with the selected username
4. If any of the passwords succeeded, hack the site
5. If not, try the next username on the list with the list of passwords
6. Repeat until entrance is gained, or all attempts have failed

The list of usernames was fairly short, however, the list of passwords was pretty extensive, so it would have taken some time to complete the entire cycle. Since these attacks were carried out against thousands of WordPress sites simultaneously, servers were under a very heavy load until the administrators figured out how to block the attackers. This took several days.

How Web Hosts Handled It

Some handled the situation pretty well. Others did not. HostGator and GoDaddy at least acknowledged the situation while many hosts did not until it was past, if at all. At least one of my clients had her sites completely shut down by her web host which was an unacceptable overreaction on their part. While I’m not a fan of GoDaddy’s hosting, at least they admitted the problem and established some communication about their response to it. I did not notice any serious slowdown of my or my clients’ sites on HostGator.

I heard of one host who came up with a rather interesting solution. They requested that their clients not log in to their WordPress sites for a time so that they could pinpoint the IPs that were attempting to log in and block them. Given that there were over 90,000 IPs used in the attacks, that was one way to eliminate the good ones from the bad ones.

Is The Attack Over?

For now, it appears to be. I’m not seeing the flood of alerts for failed logins the past couple of days. That said, one security blog pointed out that even if one’s site is hacked, it may not be evident for a while. The typical attack gains access and plants a “time bomb” that doesn’t activate itself right away. This lets the initial furor die down before any symptoms appear so that it’s harder to connect the two events.

So, What’s Next?

There are a couple of things that need to be done ASAP if they haven’t already been done. First, if you have any user accounts on your WP site named “admin” or a derivative thereof, get rid of them ASAP. WP does not allow the username to be changed on an account through the dashboard (it can be done directly in the database if you know what you’re doing), so the process is as follows:

1. Log in to your WP site and click Users in the left sidebar of the dashboard
2. Click the “admin” user
3. Change the email address to something you’re not going to use for the new user you’re about to create. This doesn’t have to be a valid email address. WP will not allow two users to have the same email address, so in order to re-use it, the “admin” user’s email must be different
4. Save the changes to the “admin” user
5. At the top of the screen, click “Add New” to create a new user
6. Fill out the required fields and any others desired. Make sure the username does not contain the word “admin”. It doesn’t have to be terribly obscure, just something other than “admin”. Obviously, give the user administrative privileges
7. Give the new user a strong password. As you type the password in the password fields, the strength indicator under those fields should be green and read “Strong”. A strong password typically has at least one uppercase letter, one or more numbers, one or more punctuation marks and is at least 8-12 characters long. More on strong passwords below
8. Save the new user profile
9. Log out of your site and log back in with the new user’s credentials
10. Go to Users again, hover over the “admin” user entry and click Delete
11. You will be asked what to do with posts and links associated with the user you’re about to delete. Assign them to the new user you just created and click the button to complete the delete process

How Do I Know If My Current Password Is Strong?

If you’re not sure whether your password is a strong one, you can easily test it. Log in to your account and go to your profile page. Scroll down to the New Password field and enter your current password. The strength indicator below the password fields will be green and read “Strong” if your password is strong. If it’s not, you’ll see either red and “Weak” or yellow and “Medium”.

To create a strong password, use the guidelines cited above: one or more uppercase letters, one or more numbers, one or more punctuation marks or special characters and a length of at least 8-12 characters. You can have WP create a random gibberish password for you, but you really want something that is both strong and easy to remember. The easiest way to do that is to come up with a nonsense word or phrase that you’ll easily remember and then substitute uppercase letters, numbers and/or punctuation marks as appropriate. Common substitutions are the number 1 (one) or exclamation points for the letters “i” and “l”, zero (0) for letter “o”, etc. Use your imagination.

Password Safety

Once you’ve come up with this strong password, don’t use it for every site where you need a password! If you have a lot of passwords to remember, use a password utility. My personal favorite is Roboform and there are others out there, as well. Roboform is free for the first 100 or so passwords. Others are free for unlimited numbers of passwords, however, I can’t vouch for them as I’ve never used them. The yearly license for Roboform is very inexpensive so hardly a factor in the decision, IMO.

Secure Connections

One final note for those of you who log in to your CPanel and/or use FTP to connect to your hosting account. Start using the available Secure Socket Layer (SSL) connections for these activities. The standard CPanel and FTP logins are not secure and subject to compromise especially if you ever use them over open wireless networks at various retail locations.

CPanel is typically on port 2082. When you type in your CPanel URL, it’s usually http://mydomain.com/cpanel which you’ll see translated to http://mydomain.com:2082 in the URL field of your browser. Change the 2082 to 2083 and reload the page. You should then see the URL as https://mydomain.com:2083 or in some cases, http://myhostserver.com:2083. The latter shows up on mine as https://gator1234.hostgator.com:2083 which is the actual server on which my site is hosted. It’s not actually gator1234, but you get the idea.

For FTP you will need to check your host’s support pages to find out the secure FTP port. In the case of HostGator, it’s port 2222. When setting up the account in my FTP client, I choose “FTP(S)” or “SFTP” depending on the FTP client and enter 2222 in the port field then my username and password as usual. The first time you log in you will likely get a message that the site isn’t trusted and may not be who you think it is. You then add the host to the list of trusted hosts and your connections from then forward will be secured.

As always, be careful out there. Everything you can do to keep your sites secure helps to keep anxiety to a minimum when the bad guys start looking for sites to hack into. Of course, feel free to contact me if you need help with any of the above.

John Sawyer