Large WordPress Brute Force Attack
There has been a recent large scale WordPress wp-login.php brute force attack coming from a large amount of IP addresses spread across the world.
A large botnet of around 90,000 compromised servers has been attempting to break into WordPress websites by continually trying to guess the username and password to get into the WordPress admin dashboard.
This issue is not isolated to one or a few web hosts. It can affect multiple web hosting providers.
What can a web host do?
- The senior system administration team has rolled out a fleet wide security policy to help contain these attacks. For the time being we're removing any public information detailing the new way we're blocking these attacks, as the attackers seem to be actively monitoring for changes, and altering their tactics.
If your site has been targeted in this attack, these security precautions we've implemented may limit your own access to your WordPress admin dashboard. We have chosen to proactively protect our customers from this attack to avoid a potentially larger security problem on your account.
We HIGHLY recommend taking the following actions to secure your WordPress website:
10 recommended steps to lock down and secure WordPress
1. Use a strong password
Minimum password recommendations:- At least 8 characters total
- Mixture of upper and lower-case letters
- Numbers, punctuation or other non-alphanumeric characters
Example weak password: secret1
Improved strong password: Z#hupsZ2M4!Z
Take a look at how to create a secure WordPress admin password for easy steps.
2. Change default WordPress admin username
When installing WordPress by default the administrator user has the username of admin.
The botnet attack is currently only targeting this default username, so even having an administrator username of admin123 could signifiantly reduce the likilhood of your site being succesfully logged into by a malicious user.
Check out how to change the WordPress default admin username for security.
3. Lock down WordPress admin access with .htaccess
Utilizing a WordPress brute force plugin for this type of attack is not very efficient, and in some cases can actually lead to your site becoming unavailable due to the large amount of processing power used to attempt to challenge each and every malicious login attempt.
Setup a secondary level password to prevent unauthorized WordPress wp-admin and wp-login.php attempts.
Or you can rely on the information we have on limiting WordPress admin access with .htaccess.
4. Temporaily disable CPU intensive login limit plugins
Blocking this attack with .htaccess rules is the preferred method, as login limiting plugins can not only lead to issue with triggering our own internal security rules, but they also will not be effective in this type of large scale attack.
5. Scan website for hacks, check Google Safe Browsing
If your WordPress site had been successfully compromised, a clear indication will usually be found either by a surface security scan of the website, or it will also get reported to Google's Safe Browsing.
Scan your website with an online malware scanner like sitecheck.sucuri.net/scanner
Check Google's safe browsing for your domain, at google.com/safebrowsing/diagnostic?site=example.com
6. Setup CloudFlare DNS level protection
Due to the large scale of this botnet attack, CloudFlare has offered DNS level filtering for this attack on all of their free accounts.
While probably not an ideal solution if you have many WordPress sites due to having to update the name servers for each domain, and then waiting typically 24-36 hours for DNS propagation. Single site owners might benefit greatly from this type of protection which should block the botnet requests from even making it to the server in the first place.
7. Backup WordPress
At this point it's probably a good idea to backup WordPress just in case. That way, as the attacks continue, you're ensured that you always have a good point to restore back to in the event something goes bad.
Backing up your data and restoring
- Backup your website files in cPanel
- Backup your database in cPanel
- Restoring your databases using phpMyAdmin in cPanel
8. Update everything WordPress
To protect yourself from any known exploits to WordPress you should update everything related to WordPress:
Necessary updates to make:
Update WordPress from admin dashboard
Update WordPress theme
Update WordPress plugin
9. Clean up hacks
If your website has been the victim of a hack, you can follow my guide on how to reinstall WordPress after a hack for steps on cleaning it up and getting back in business.
- First you'll want to download the latest version of WordPress to your local computer.
- Extract the files in the .zip archive you downloaded to a local folder. filezilla upload files to public htmlUsing FTP, upload all of the folders and files contained within the wordpress directory to your public_html directory. Or if your domain was an addon domain and its document root was in a sub-directory make sure you're uploading it there. You can do this by hitting Ctrl-A in your FTP client when you're in the left-hand pane to select all the files, then simply drag them onto the server.
filezilla view quarantined wp-config
- Once the files are done uploading, navigate to the quarantine directory on the server side, right-click on wp-config.php and choose View/Edit. Your FTP application should prompt you for what application you'd like to open the file with, you can just use a text editor such as Notepad. Then finally copy down the database information from the define('DB_...) sections.
wordpress no wp-config file
- At this point if you try to simply access the site you'll get a WordPress error about no wp-config.php file.
filezilla save wp-config sample
- Back in your FTP client, navigate to your public_html directory and you should see a file called wp-config-sample.php, right-click on this file and choose View/Edit, open the file in Notepad then fill in your database name, database user, and database user password. Then hit Ctrl-S to save the file, in a few seconds your FTP client should prompt you if you'd like to save this back to the server, click Yes. You can also place a check beside Finish editing and delete local file if your FTP client gives you that option.
- Now in your FTP client right-click on wp-config-sample.php choose Rename, and then name the file just wp-config.php.
filezilla download custom themeNow in this case if we try to go to our site again it's an all blank page, the reason for this is because our site used a custom theme, and those theme files are still quarantined. So next in your FTP client navigate to the /quarantine/wp-content/themes directory, and drag over the pinboard directory (or whichever theme you used) to your local computer.
- Prior to copying your quarantined theme's files back to the server, you should scan them for a virus/malware, or preferably re-download a fresh copy of your theme from the developer to ensure no malicious files have been placed inside your theme's folders.
filezilla upload custom themeNow navigate on the server side to the /public_html/wp-content/themes directory, and then drag the pinboard directory from the local computer to the server.
wordpress site restored successfullyYou should now be able to hopefully pull up your website again free of any malicious hacks.
10. Other general WordPress recommendations
Optimizing WordPress with W3 Total Cache plugin
Log out of WordPress admin dashboard when not in use
Limit or disable WordPress revisions
Disable WordPress autosave
Install and use Better Delete Revision WordPress plugin
Hopefully your WordPress website should be locked down and secure now, which should help prevent our own internal security rules from blocking your own access to your WordPress admin.
If you're blocked out of your own account and were directed to this article via a warning message be sure that you followed step #3 Lock down WordPress admin access with .htaccess in order to regain access.