Incident Report: Global Wordpress DDOS Attack
- Monday, 15th April, 2013
- 06:17am
On Thursday 11th April we noticed an abnormal amount of bot traffic hitting our servers, all specifically targeting wp-login.php files in an attempt to gain access to the admin areas of Wordpress based websites.
Normally these types of attacks are quite small scale and are easily dealt with. However it soon became clear that this attack was on a much larger scale to anything we had seen before, the attacks were coming in from over 100,000 unique IP addresses from compromised workstations across the globe at the rate of hundreds of requests per second.
The attacks continued into Friday and it became clear that the attacks weren't isolated to one or two web hosts, it was an attack on a truly global scale that hit every web host hard.
Our initial attempts to deal with the attack and keep servers online was to attempt to block the offending IP's, but with the scale of the attack and the amount of IP's that needed to be blocked this proved to be an unworkable solution and caused more problems than it fixed.
The only option left to us on Friday was to globally disable access to all wp-login.php files on all of our Shared and Reseller servers in an attempt to keep servers online through the attack period. We left this block in place throughout the weekend and we are pleased to report that the action had the desired result, in that no servers were brought down by the DDOS.
At the time of writing (Monday April 15th) the global DDOS appears to have dissipated and as such we have removed the global block on wp-login.php files and implemented a blocking mechanism on our back-end network that should filter out future attacks with the same payload.
If the payload changes then we may need to revert back to the global disabling of wp-login.php whilst we work on a more permanent solution but this will be dealt with as and when needed.
===========================================
Recommended Action For Users
===========================================
Whilst the attack has now subsided, it is very important to remain alert to the threats that are out there, especially now that millions of Wordpress based sites and servers are likely compromised due to this huge global attack.
So we would strongly recommend all Wordpress users to take the following action, on ALL sites that are running Wordpress, no matter who they are hosted with!
1. Don't Rely On Plugins For Security
Security plugins give you a false sense of security and may add to the problems you face, especially in wide scale DDOS attacks as the one we have just seen. Follow the three simple steps below to ensure your sites remain secure and don't become part of a future wide scale attack.
2. Change Your Password
Change your Wordpress user passwords NOW. Use a totally random password that is at least 12 characters long and that contains letters (both upper and lowercase), numbers and special characters. Make sure the password is unique and that it hasn't been used previously.
3. Lock Down Your Admin Area
Locking down your Wordpress admin area so that only you have access would prevent hackers from gaining access no matter how weak your password is (note: this isn't an excuse to use a weak password!!). Follow the steps in the article below to lock down your Wordpress admin area:
http://d9clients.com/knowledgebase/113/How-To-Enable-Wordpress-Admin-Area-Access-For-Your-IP-Address.html
4. Update EVERYTHING
This is an important step that you need to do on a regular basis.
It is vital that you keep all scripts on your account up to date; this includes core files, plugins, themes, and any other 3rd party code you have added to your sites. If there are plugins or themes on your webspace that you don't use, it's important that you delete the files.
===========================================
===========================================
We hope that this has given you an overview of the incident, and provided you with some useful steps to follow to ensure the security of your sites going forward. Please do let us know if you have any questions or concerns.
Normally these types of attacks are quite small scale and are easily dealt with. However it soon became clear that this attack was on a much larger scale to anything we had seen before, the attacks were coming in from over 100,000 unique IP addresses from compromised workstations across the globe at the rate of hundreds of requests per second.
The attacks continued into Friday and it became clear that the attacks weren't isolated to one or two web hosts, it was an attack on a truly global scale that hit every web host hard.
Our initial attempts to deal with the attack and keep servers online was to attempt to block the offending IP's, but with the scale of the attack and the amount of IP's that needed to be blocked this proved to be an unworkable solution and caused more problems than it fixed.
The only option left to us on Friday was to globally disable access to all wp-login.php files on all of our Shared and Reseller servers in an attempt to keep servers online through the attack period. We left this block in place throughout the weekend and we are pleased to report that the action had the desired result, in that no servers were brought down by the DDOS.
At the time of writing (Monday April 15th) the global DDOS appears to have dissipated and as such we have removed the global block on wp-login.php files and implemented a blocking mechanism on our back-end network that should filter out future attacks with the same payload.
If the payload changes then we may need to revert back to the global disabling of wp-login.php whilst we work on a more permanent solution but this will be dealt with as and when needed.
===========================================
Recommended Action For Users
===========================================
Whilst the attack has now subsided, it is very important to remain alert to the threats that are out there, especially now that millions of Wordpress based sites and servers are likely compromised due to this huge global attack.
So we would strongly recommend all Wordpress users to take the following action, on ALL sites that are running Wordpress, no matter who they are hosted with!
1. Don't Rely On Plugins For Security
Security plugins give you a false sense of security and may add to the problems you face, especially in wide scale DDOS attacks as the one we have just seen. Follow the three simple steps below to ensure your sites remain secure and don't become part of a future wide scale attack.
2. Change Your Password
Change your Wordpress user passwords NOW. Use a totally random password that is at least 12 characters long and that contains letters (both upper and lowercase), numbers and special characters. Make sure the password is unique and that it hasn't been used previously.
3. Lock Down Your Admin Area
Locking down your Wordpress admin area so that only you have access would prevent hackers from gaining access no matter how weak your password is (note: this isn't an excuse to use a weak password!!). Follow the steps in the article below to lock down your Wordpress admin area:
http://d9clients.com/knowledgebase/113/How-To-Enable-Wordpress-Admin-Area-Access-For-Your-IP-Address.html
4. Update EVERYTHING
This is an important step that you need to do on a regular basis.
It is vital that you keep all scripts on your account up to date; this includes core files, plugins, themes, and any other 3rd party code you have added to your sites. If there are plugins or themes on your webspace that you don't use, it's important that you delete the files.
===========================================
===========================================
We hope that this has given you an overview of the incident, and provided you with some useful steps to follow to ensure the security of your sites going forward. Please do let us know if you have any questions or concerns.
