Snappy, The HostGator Mascot

Gator Crossing

The Official HostGator Company Blog!

Dragonfly
AirPlane

Global WordPress Brute Force Flood

Written by Sean Valant

Thursday, April 11th, 2013

As I type these words, there is an on-going and highly-distributed, global attack on WordPress installations across virtually every web host in existence.  This attack is well organized and again very, very distributed; we have seen over 90,000 IP addresses involved in this attack.

At this moment, we highly recommend you log into any WordPress installation you have and change the password to something that meets the security requirements specified on the WordPress website.  These requirements are fairly typical of a secure password: upper and lowercase letters, at least eight characters long, and including “special” characters (^%$#&@*).

You have now changed your WordPress password, correct?  Good.

The main force of this attack began last week, then slightly died off, before picking back up again yesterday morning.  No one knows when it will end.  The symptoms of this attack are a very slow backend on your WordPress site, or an inability to log in.  In some instances your site could even intermittently go down for short periods.

We are taking several steps to mitigate this attack throughout our server farm, but in the same breath it is true that in cases like this there is only so much that can actually be done.  The servers most likely to experience service interruptions will be VPS and Dedicated servers hosting high numbers of WordPress installations, due to the incredibly high load this attack has been seen to cause.

If you are hosted on a VPS or Dedicated server and you would like for us to take a more severe, heavy-handed approach to mitigate this attack, we can do this via means such as password-protecting (via .htaccess) all wp-login.php files on the server.  If you would like our assistance with this, please contact us via normal support channels.

Again, this is a global issue affecting all web hosts.  Any further information we could provide at this moment would be purely speculation.  Our hope is that this attack ends soon, but it is a reminder that we must all take account security very seriously.

We will update this blog post when we have further information.

 

**UPDATE**

If you have just a few WordPress sites, you can add the additional layer of security mentioned above, as well as block this attack, by following the instructions outlined in this article from our KnowledgeBase: http://support.hostgator.com/articles/specialized-help/technical/wordpress/wordpress-login-brute-force-attack

Posted in

News Bites, Web Hosting News
Comments
  • Kerry Finch

    Thank you for the heads up! You guys really know how to look after your clients.

    • http://blog.hostgator.com HostGator

      We do what we can, Kerry. We certainly like to get the information out there and assist our customers in helping themselves as much as possible.

  • http://www.facebook.com/squatto Scott Carpenter

    I installed this plugin and it’s already blocked 18 IPs in 9 hours: http://wordpress.org/extend/plugins/limit-login-attempts/

    • http://blog.hostgator.com HostGator

      That’s pretty significant number of IPs, but only a drop in the bucket as far as what we’ve seen. Seems like a great plugin to install at this time, though.

      • http://www.facebook.com/squatto Scott Carpenter

        I have load monitoring widgets on my desktop and I haven’t had any issues since. 90,000 IPs….unbelievable!

        • Marvin Scott

          To those interested, Limit Login Attempts didn’t work for me. They still hammered my sites even after “lockout”

          I recommend Better WordPress Security. Enable permanent blocking via htaccess after 3 or so attempts.

          • http://twitter.com/writingthrulife Amber Lea Starfire

            Last year, I was seriously hacked and blocked from my site — had to restore from a back up and even then had difficulty. I’ve been using Better WordPress Security and have had good success with it since. In addition to blocking sites, it has a number of other security enhancing features.

        • Phil Elmes

          Not clear on this, Scott. Which plug-in are you recommending?

    • http://www.facebook.com/joshua.greenwood.50 Joshua Greenwood

      Same here. I have already blocked 2,000+ with this.

    • Jim Lynch

      Oops, didn’t realize you had already posted it. I installed it on all of my blogs and, yes, it’s catching quite a few IP addresses and banning them.

  • http://blog.hostgator.com HostGator

    At this moment, your guess is as good as ours, Jedediah. It is certainly the actions of individuals who desire to cause disruption on a large scale.

    • http://blog.hostgator.com HostGator

      Glad to hear; always better to be safe than sorry.

  • http://www.facebook.com/tyronne.ratcliff Tyronne Ratcliff

    What if I already have a strong password?

    • http://blog.hostgator.com HostGator

      Then you certainly have a head start, Tyronne. Keep an eye out for any unusual slowness and if you experience anything odd, go ahead and change that password if you don’t want to presently.

    • http://www.facebook.com/squatto Scott Carpenter

      They may not get in, but they will hit your server HARD. My load average jumped up to 40 last night and slowed everything else on my server to a horrible crawl

    • Jon

      If it ain’t broke don’t fix it. Keep an eye out.

  • http://www.facebook.com/jobrydesigns Manuel Lopez

    Thanks i have more thar 35 sites with wordpress in hostgator :D

    • http://blog.hostgator.com HostGator

      Keep those sites safe, Manuel. :)

  • http://twitter.com/volomike Mike McKee

    Get a copy of Spyder Spanker Pro.

  • Ravenwing

    Thanks for letting us know! HostGator is amazing for the level of support we get. I switched from another host to HG about four months ago and I’m glad I did.

    • http://blog.hostgator.com HostGator

      We’re certainly happy to have you. :)

      • http://www.facebook.com/The.Rictastic Rictastic Mulvay

        yea i did too.. and am happy so far as well

      • Haydrion

        What about Me ;(
        Thanks for this post ! I’m for years by Hostgator and I will never change !

  • http://blog.hostgator.com HostGator

    Should be, yes. Other than potential slowness you may experience due to less secure WP installs on the server.

  • Michelle Sullivan

    I have a lot of sites on HostGator, but for most of them I can’t even get to admin – it’s timing out.

    • http://blog.hostgator.com HostGator

      Sounds like your server is heavily under attack at this moment. We appreciate your patience while we work to mitigate the situation; you should be able to log into your sites shortly.

      • Marvin Scott

        Michelle, don’t believe your server is under heavy load. My admins are timing out too and my VPS reports 7% CPU. HG can’t you admit you are blocking us from accessing our admins?

        • http://blog.hostgator.com HostGator

          Marvin, we understand your frustration, but your particular circumstance isn’t necessarily everyone’s circumstance. If there was a lack of communication between the time you added a plugin and we implemented a fix that we knew worked, then it is possible that you’ve found yourself locked out, which we are happy to resolve for you, and I will personally take care of it you provide your ticket ID, bear in mind that we have an unusually high ticket queue due to this attack and therefore you may be experiencing a delay in response, which again i will bypass for you. Thank you in advance for no longer replying to comments with information that is not conducive to a proper resolution.

    • Jon

      I suggest that you check your site from pingdom tools which is an online load of your site, it will display the objects loaded, if any of them look dodgy then you may have an issue. You can also use to view admin page just to see if the issue is traffic or a hack.

  • Marvin Scott

    I’ve already implemented effective Brute Force blocking solutions on my WP sites. My server load dropped to almost nothing lately. Yet still, I get up this morning and find that HostGator support had blocked access to all my wp-admin files for every site on my VPS. Guess I’m out of work until you fix this!

    HostGator, this is not providing me the service I paid for. Please address my support ticket and re-enable administration of my WP sites.

    • http://blog.hostgator.com HostGator

      Marvin, may I have your ticket ID please?

      • Marvin Scott

        GHH-21540757

        • http://blog.hostgator.com HostGator

          Excellent, thank you. I am personally assigning as Admin to handle your issue at this moment.

  • Mark Harbert

    How do we change the password when we can’t even get to the page to do it? I can’t even reach the login page at the moment to try and change the password. Any suggestions??????

    • Marvin Scott

      Mark HG is blocking your access to WP Admin. A simple email to notify us of this would have saved me hours of troubleshooting and even made me think someone had actually gained access to my sites.

      • http://blog.hostgator.com HostGator

        This circumstance isn’t necessarily as indicated here; it could very well be a result of the server load causing the inaccessibility. No matter the cause, we are very diligently working at this very moment to get everything under control and restore proper access to all customers.

        • Marvin Scott

          Then HG, are you saying you are not blocking access to wp-admin’s? My VPS CPU is 7% and I’m still unable to access my admins. Should I worry that a hacker has hijacked my wp-admins?

          • http://blog.hostgator.com HostGator

            Marvin, I cannot provide specific information relative to your particular account or server. I can tell you we did not do any type of wide-spread lockout of customers form their sites, but when situations like this are triaged there can sometimes occur thigns of this nature, which will be resolved quite literally as soon as humanly possible. I have escalated your ticket.

  • Nick

    We felt the full force of this yesterday, it overloaded the server and caused our VPS to crash several times. One very helpful HG tech suggested we install the Better WP Security plugin which allows you to change the admin url. Once we did that for all of your WP sites the attacks stopped.

    • Marvin Scott

      Nick, I agree. Better WP Security worked great for my WP sites. It reduced server load to very normal ranges. I set up to give three login attempts and then permanently block the ip via htaccess. It really worked.

      I also enabled 404 blocking for people scanning for vulnerable files.
      I continued to see many attempts, but they are blocked after just 3.

      • http://blog.hostgator.com HostGator

        Excellently done, Marvin. It’d be great if everyone would take their account security as seriously.

  • http://twitter.com/TheFrosty Austin ☃ Passy

    Literally working on a plugin to block access to the wp-login.php page. This is a small add-on module to my current free WordPress Custom Login plugin in the WordPress repo (for version 2.0) dropping soon.

    Not going to help the current status, but for future use… ;)

  • http://www.adhd-inattentive.com/ Kayla Fay

    Our passwords are very good. (Patting myself on the back.) I’m intimidated by the instructions to edit the wp-login.php file. Will installing limiting login attempts protect us in the short run?

    • http://blog.hostgator.com HostGator

      Installing that type of plugin should help to a degree, yes, though it is not a guaranteed permanent fix.

  • b5

    I tried your solution from http://support.hostgator.com/articles/specialized-help/technical/wordpress/wordpress-login-brute-force-attack
    and it works for shared hosting, but no luck with dedicated hosting. Getting “wrong redirection message” in FF for wp-login.php and 404 redirect to wordpress page for /wp-admin/.

    • http://blog.hostgator.com HostGator

      Correct, this solution will not work on a Dedicated server. However, we do have a dedicated solution. May I have the IP of your dedicated server, please?

      • b5

        Can I do it myself? I will rather contact live support than provide my IP to public in this situation.

        • http://blog.hostgator.com HostGator

          It’s an internal script that executes an .htaccess
          block for wp-login.php, not something we can instruct you to do yourself ..please go ahead and create a support ticket for us to do this for you, we presently have all hands on deck working these WordPress tickets as a priority, so we will get to your ticket very soon.

  • http://www.facebook.com/tony.andiamo Tony Santos

    I can’t even get into my busiest sites to implement Better WP Security!! What do I have to do to be able to even get in?? I’ve already denied all ip’s on .htaccess except for mine. And still nothing. Need some help here…

    • http://blog.hostgator.com HostGator

      It may be necessary for you to join us in LiveChat so that we can properly assist you in realtime with this, Tony.

      • http://www.facebook.com/tony.andiamo Tony Santos

        I am on livechat now.

      • http://www.facebook.com/tony.andiamo Tony Santos

        I gotta say it’s very frustrating having your chat support agent tell me to come to this blog post when I ALREADY told him I knew about it. Come on guys…

  • Alejandro Amo

    all our wordpress installations already secured… check.
    thanks guys.

  • sombokit99

    Thanks for your Info.

  • YammerHammer

    Admit it…you guys WAY oversell server space. That is a large part of the problems your users see. Show us the respect of not trying to deny it. Your new owner is known for that sort of practice.

  • http://www.facebook.com/golden.chrome Brenda Michalski

    how do I delete a website and my Url on wordpress? or just what do I have to do? the website is dead and want to start something totally differant.

  • http://ItsDifferent4girls.com/my-links Linda Sherman

    Thank you for staying on top of this HG!

  • http://twitter.com/vajrasar Vajrasar Goswami

    I would suggest the use of all these measures together on your WordPress installation (s) -

    1) strong VERY strong password

    2) Limit Login Attempts (WordPress Free Plugin)

    3) Stealth Login Page (WordPress Free Plugin)

  • http://www.facebook.com/people/Victor-Nganguem/100000980296899 Victor Nganguem

    j’aime ça

  • http://twitter.com/twfriendfinder TaiwanFriendFinder

    can we use cloudflare to block it ?

    or it won’t works ?

    • http://blog.hostgator.com HostGator

      Cloudflare actually has stated that they have means of effectively mitigating the attack.

  • http://www.facebook.com/profile.php?id=100002302375267 Artagene Skipper

    Never ending…Thanks for the heads up..

  • http://twitter.com/auctionbunker Auctionbunker USA

    Been having extremely slow or time page loads on server: gator677

  • http://twitter.com/absurd_human Absurd Human

    You can also simply require that all requests to wp-login.php come from your site – this will stop a large amount of these automated attacks:

    Unfortunately a lot of the accounts hit are being successfully compromised. If you have been attacked (which is likely if you have a WordPress site), this guide shows how to clean up as well as add the .htaccess block to prevent automated logins:

    http://calladeveloper.blogspot.com/2013/04/global-wordpress-brute-force-attacks.html

  • http://www.facebook.com/joseph.tamargo.7 Joseph Tamargo

    Thanks so much ! I have no fear with Snappy standing guard !

  • Diana

    My site is still down, I can’t even log in to my control panel or my wordpress site to change any passwords and tech support has no info for me…………what now?

    • http://blog.hostgator.com HostGator

      Are you now able to log in, Diana?

  • http://www.facebook.com/michael.schuster.7758235 Michael Schuster

    This destroyed my birthday yesterday. Over 350 sites we host were affected. Not fun.

    • harry wiston

      Invest with just 100usd today and get 5000usd in return after 3days of business,This has really help many people out of their difficulties you can also be one of the part taker today.the higher you invest is the higher you will also get in return after 3days, contact us today via email….harrywiston002@gmail.com

  • IAbdussamad

    I wrote a blog post on how to stop brute force login attempts:

    http://abdussamad.com/archives/616-Stop-Brute-Force-WordPress-Login-Attempts-with-Fail2Ban.html

  • http://www.facebook.com/programming.ninja Max Katz

    The mixture of uppercase, lowercase, etc. is NOT effective security countermeasure against a simple brute force attack. What you need is a longer password. Consider using a pass phrase such as a complete sentence. For instance, today’s quote of the day on brainyquote.com is “Where love is concerned, too much is not even enough.” Using a complete sentence like this is much easier to remember and many orders of magnitude more difficult to brute force, rendering your password mathematically unbreakable.

  • Ashish Gill

    Thanks for this useful info. Really helpful.

  • http://www.facebook.com/aw.widhonno Amming W. Widhonno

    these was the relevant reason staying at the planet dallas, U rocked gator!
    so far, i’m placing htaccess file at wp-admin folder, and deny other IP than me to access admin page login

  • http://twitter.com/techalam Techalam

    This is really not a good news. Thanks for providing some useful tips and security measurements. Hope this issue ends soon. You guys are really supportive, glad to be Hostgator customer. Thanks :)

  • http://www.ryankearney.com/ Ryan Kearney

    HostGator, in addition to telling users to change their password, perhaps you should consider not storing users main cPanel password in plain text. Requiring users to provide their cPanel login to make changes to their account, and then storing it in your ticketing system is just nonsense.

  • Nancy Barth

    Well, I went to my account settings and changed the password and now I can’t log into one of my blogs. I get this message.
    Server error
    The website encountered an error while retrieving http://calmabrave.com/remote-login.php?login=c4cf7baa20e5b3ca2f03a4e36e0d0d0d&id=37756552&u=af3e83e261b0d94e1772cb9d3569dd5b&h=. It may be down for maintenance or configured incorrectly.
    Here are some suggestions:
    Reload this webpage later.
    HTTP Error 500 (Internal Server Error): An unexpected condition was encountered while the server was attempting to fulfill the request.

  • http://twitter.com/HeatherBlythe1 Heather Jane Blythe

    I’ve was attacked this morning. Locked out. A huge shout out to Joshua in support for promptly looking into it and getting my questions answered. Great service support

  • Corey Kretsinger

    Thank you very much for this update. Now I understand some of what I’ve been noticing. Great job. Hostgator is still the best.

  • http://www.facebook.com/thelazychef Sue Cockburn

    I’ve been dealing with HostGator for more than a year now and their service is absolutely second to none!! I’m not encouraging you to raise your prices but your service is worth twice what we pay. Seriously, I LOVE you guys!!!

    • http://blog.hostgator.com HostGator

      Thank you, Sue!

  • http://www.takemc.com/ Wolf

    I red your article from Knowledgebase and now I can access to the backend of my wordpress sites but there is still a issue: with chrome is all right but if I use Internet Explore I get a 406 http error page. Can you help me? Thank you.

    • http://blog.hostgator.com HostGator

      That is an unusual error, Wolf. If you are still experiencing it, please join us in LiveChat so that we can take a good look and assist you in realtime.

      • http://www.takemc.com/ Wolf

        I joined LiveChat but the operator told me that with that .htaccess I cannot access by I.E. but Chrome and FireFox

  • TysonChamp

    As i’m a hacker i will recommend other wordpress users to take advantage of security plugin available in wordpress plugin directory. also do not use the default admin profile… 1st login with the default admin username and then create another administration profile and then login with this new administration profile… after loged in delete the default admin profile…

  • http://www.facebook.com/people/Mohamed-Khalifa/530411534 Mohamed Khalifa

    Breaking News: Egyptian Inventor
    Invents a New Source of Clean Energy TAKE LOOK AT http://seaservices-eg.com/everlastingpower/

  • Frank Woodman Jr

    Sadly we will only see more and more of such issues in the future so as you say we all need to take security very seriously. I set up sites with strong passwords and use any encryption that a site allows. One can’t be too careful as it’s never good to think that by not being security conscious you might cause others harm or inconvenience. .

  • Bob

    I changed my .htaccess to allow only my ip.

  • WendyMusica

    Well my site has been down twice this week and I’m not using wordpress, I’m using Drupal, do you know something about it?

  • http://www.blippitt.com/ chrismonty

    I’ve been using Login Lockdown plugin for years. It works wonders.

  • http://kercommunications.com/ Nick Ker

    Well this explains a lot. Have had several brute force attempts showing in Better WP Security plugin logs in the last few days.
    I’ve got login attempts limited, no Admin, limited 404s… everything but the .wp-admin protection advised by HG which I will do now.
    So far so good and best of luck to all.

  • Jim Lynch

    You might also want to consider this plugin:

    http://wordpress.org/extend/plugins/limit-login-attempts/

    It limits login attempts and lets you ban IP addresses.

  • http://twitter.com/KeliwebIT Keliweb

    very interesting topic, we experienced this with some blogs of us… thank you :)

  • JB

    “…If you are hosted…and you would like for us to take a more severe, heavy-handed approach to mitigate this attack, we can do this… via password-protecting (via .htaccess) all wp-login.php files on the server. If you would like our assistance with this, please contact us via normal support channels….”
    “…we must all take account security very seriously.”

    Um, Hostgator? I just paraphrased what you said. You have said that you have a solution that is severe and heavy-handed, but you’ve simply decided that you’re not going to apply it unless we pay. Well, we already pay. We pay for you to host our web sites, and that means applying fixes, any and every time, your systems are compromised. You’ve decided that you’re not going to unless we want to pay for to protect your own systems. You then state that we all need to take account security very seriously. How, exactly, do we protect YOUR systems? You need to apply your severe, heavy-handed approach to my e-commerce site. You have no right to keep your wash you hands of this and tell me that for yet more $$, you can put a Lo-Jack on my site. Here’s an idea. Go ahead and throw us a friggin bone and do your job, as an ISP, and appy any severe, heavy-handed approach that you might have, to you client’s sites.
    Here is the very simple business model:
    -I pay HG to host my e-commerce site
    -I make money from said site.
    -my site is compromised by an attack that I dont know about because I’m busy making money from the website HG is hosting. HG could keep my site more secure, but has decided not to.
    I get attacked. I dont make money- which means I cant pay for your service

    • http://blog.hostgator.com HostGator

      JB, it is unfortunate that you inferred that there would be a cost associated with the aforementioned measure that is available to VPS and Dedicated servers. By and large, there is no additional cost whatsoever for the support we provide. This is simply something we leave up to the VPS and dedicated customers due to the fact that they have root access and may very well be taking their own precautions that we do not want to interfere with on the assumption that they would want this action taken on their behalf.

  • http://blog.hostgator.com HostGator

    Yes, this is true. It is also true that you cannot change the username of admin. What you can do is create a new user with admin privileges and then log in as that user and delete the admin user; this accomplishes the same goal.

  • http://twitter.com/eb_p1 Ernest Burnett

    Thanks for the press release – I polled around for different web hosts and asked whether host gator would be able to verify twitter attacks on mail accounts hosted via host gator, and was pleased to hear you guys are able to check on this – (mention of strong passwords) here’s a link for a good client-side, javascript strong password generator – http://strongpasswordgenerator.com/

  • http://twitter.com/Kickmag Kickmag

    I’m with a different hosting company but I think I’m switching to Host Gator.

    • http://blog.hostgator.com HostGator

      We’ll be happy to have you!

  • http://twitter.com/natedogreimer Nathan Reimer
  • http://www.facebook.com/joshualrich Josh Rich

    Would you happen to have any updates to this issue? Is the attack still ongoing?

    • http://blog.hostgator.com HostGator

      Yes Josh, at this time this is still an on-going situation.

  • patscomputerservices

    A question. I have my wp-admin panel set up, so that I have to log in twice when accessing it from a web browser. Does that mitigate this attack, or are they able to bypass this?

    Thanks, and have a great day.:)
    Patrick.

  • web hosting jaipur
  • http://www.facebook.com/people/Victor-Nganguem/100000980296899 Victor Nganguem

    grand merci

  • NickZoom

    I’ve switched to Hostgator too, as my sites were hacked on the other host and are still being attacked as I haven’t moved them all. They kept going down everyday first once every few days then daily then they would redirect. yesterday crazydomains.com.au was advertising .com domains for $3 but the site was taken over and my computer security block it, you could see the site was not fully displaying as it was a phony site copy that would appear when the real address was in the browser firefox

  • http://www.computeradvice.info/ ComputerAdvice

    Is this still going on? I have been checking my log the last few days and I’m seeing hundreds of hits to wp-login.php.

    I am also seeing lots of referral spam from .ru sites. Is this something I should be worried about?

  • ed

    We think we’ve found a way to stop the attacks killing our server, I’ve written a guide http://blog.ed.gs/useful/wordpress-brute-force-protection-hack/

  • Cory Church

    so its been over a month. Whats the status of this attack? still going strong?

    • http://blog.hostgator.com HostGator

      Yes Cory, it is still on-going however for all intents and purposes has been mitigated.

  • Jason Lemington

    Great post! Thanks for the info Sean. Kindly check http://wordpress.org/plugins/iframe-embed-for-momentme/. Good plugin for your photos and images.

  • http://www.nosleeplessnights.com/ Ethan Green

    How do you know if you’ve been hacked?

  • http://application-scholarship.blogspot.com/ Peter

    This is a very intresting article…great content i’m really impressed by your thoughts thanks for sharing your experience

  • Jason Marks

    the support is great, but there’s no way currently in place to fix these problems. i’d appreciate if there was a way to quickly save everything to one file locally, purge and open a new account on a new server and reupload without downtime. PLENTY of places follow this protocol.

  • Rajesh Deepak

    Hi,

    Several times some one write something better in their blog but no one observe this and post his comments…….now i started to write the article on my blog with authenticity and in unique mode…..please post your comments and suggestion if you like it………..blog URL are undermentioned…..

    http://respondindia.com

    Rajesh Deepak

  • Rajesh Deepak

    A New Blog With Unique Comments….

    http://respondindia.com

    Rajesh Deepak

  • uproview

    Uau. Is there a way to resolve this.

  • Airat Zakirov

    I wrote simple and really useful plugin – Securitron. http://www.b2beservices.com/files/Securitron_v1_0_1.zip

  • Linda Woodard

    Is there something going on with Word Press today 7/25/13? I cannot access my website nor can I get into the back administrative office of my website.

  • Karen D. Clawson

    Saw a message where the attacks have launched again; our website host is trying to take the remedial action outlined here, but so far no luck in getting us logged back in. Before, if I attempted several times, I’d be successful, but not this time!

  • Pingback: Important: Global WordPress Brute Force Flood. Please Read. • Crunchify

qwaszxerdfcv3.14 | 1776zxasqw!!