Protect Your CMS Website Now!

Protect Your CMS Website Now!

.
There is a highly distributed global ‘botnet‘ attack on all WordPress websites at every known web hosting provider, occuring at this time. These attacks attempt to hack admin accounts and inject malicious scripts to the site coding.*

botnet attacks on wordpress CMS

*Source – WebsiteDevelopment.us

As of today these attacks are happening at a global level. WordPress installations across the globe are being targeted. Because the attacks are highly distributed, most of the IP’s used are spoofed, it is very difficult to block all malicious data, but not impossible. This is why many servers from every hosting providers have gone down in recent days including big names such as Godaddy and Hostgator.

drupal attacked by botnetsIf you manage or own a website on a content management system (CMS) you know that invalid login attempts are an everyday occurrence. We see literally dozens of invalid login attempts from dozens of different IP numbers in the course of any given day. This is considered normal. However hosting providers worldwide are reporting they are seeing a systematic, well organized attack. The attacks on content management systems are well above average and often times at catastrophic levels.

joomla cms attackHostGator’s analysis found that this attack is a well organized. The company reports that about 90,000 IP addresses are currently involved. CloudFlare reported the hackers are using about 100,000 bots. Quoted at Techcrunch, Matthew Prince, CloudFlare’s founder and CEO, says that his company saw attacks on virtually every WordPress site on its network.

The websites that have been hacked had the “admin” accounts compromised and malicious scripts were uploaded into the directories.

This attack started on or about April 8th, but the hackers became extremely aggressive overnight on April 12th. They have already shut down 10′s of thousands of servers running WordPress. They have also affected the performance of many other servers. The attack started with WordPress installations, according to Sophos EndUser Protection (a major player in the web security industry), Joomla and Drupal website are now also getting hit.

The attack began with a botnet made up of at least 90,000 hacked home based computers. This is not a “brute force” attack like we see every day. This onslaught is using what is known as a “dictionary” attack. This is where the hacker uses a list of the most likely usernames and possible passwords and tries those in very quick succession. Even when the attack fails, the load the attacks on multiple websites puts on a server can cause it to crash.

The early indications are that hackers are installing malicious scripts in the content management systems that have been compromised. These malicious scripts turns the infected website into an attacker to hack other websites. This is the reason this attack is going viral. According to Matthew Prince, the chief executive of web hosting company CloudFlare, these hackers are causing much more damage because the infected servers have large network connections and are capable of generating significant amounts of traffic for the attackers.

If you have not already done so, we strongly recommend you take the following steps to protect your wordpress installation:

Make sure your WordPress installation and all of your installed plugins are updated

Make sure your administrator’s password is secure

If you have a user account with the username “admin”, create a new administrator account with a different username and remove that old “admin” account

Install the security plugin WP Better Security

Other ways of securing a WordPress website can be found at WordPress.org.

These additional steps can be taken to further secure WordPress websites:

Remove README and license files. This is very important since this exposes version information

Prevent reading of the htaccess file

Limit access to wp-admin.php and wp-login.php to your IP address

Move wp-config.php up one directory and change its permission to 400

We will continue to monitor this attack and we will post updates as more information becomes available.

Leave a Reply