HostGator Blog!

Web Hosting Made Easy!

Blog / News Bites

Global WordPress Brute Force Flood

Thursday, April 11, 2013 by

As I type these words, there is an on-going and highly-distributed, global attack on WordPress installations across virtually every web host in existence.  This attack is well organized and again very, very distributed; we have seen over 90,000 IP addresses involved in this attack.

At this moment, we highly recommend you log into any WordPress installation you have and change the password to something that meets the security requirements specified on the WordPress website.  These requirements are fairly typical of a secure password: upper and lowercase letters, at least eight characters long, and including “special” characters (^%$#&@*).

You have now changed your WordPress password, correct?  Good.

The main force of this attack began last week, then slightly died off, before picking back up again yesterday morning.  No one knows when it will end.  The symptoms of this attack are a very slow backend on your WordPress site, or an inability to log in.  In some instances your site could even intermittently go down for short periods.

We are taking several steps to mitigate this attack throughout our server farm, but in the same breath it is true that in cases like this there is only so much that can actually be done.  The servers most likely to experience service interruptions will be VPS and Dedicated servers hosting high numbers of WordPress installations, due to the incredibly high load this attack has been seen to cause.

If you are hosted on a VPS or Dedicated server and you would like for us to take a more severe, heavy-handed approach to mitigate this attack, we can do this via means such as password-protecting (via .htaccess) all wp-login.php files on the server.  If you would like our assistance with this, please contact us via normal support channels.

Again, this is a global issue affecting all web hosts.  Any further information we could provide at this moment would be purely speculation.  Our hope is that this attack ends soon, but it is a reminder that we must all take account security very seriously.

We will update this blog post when we have further information.

 

**UPDATE**

If you have just a few WordPress sites, you can add the additional layer of security mentioned above, as well as block this attack, by following the instructions outlined in this article from our KnowledgeBase: http://support.hostgator.com/articles/specialized-help/technical/wordpress/wordpress-login-brute-force-attack

 

Try HostGator Today!

116 Comments
  • Kerry Finch
    11 April 2013 at 5:05 pm

    Thank you for the heads up! You guys really know how to look after your clients.

    • HostGator
      11 April 2013 at 5:11 pm

      We do what we can, Kerry. We certainly like to get the information out there and assist our customers in helping themselves as much as possible.

  • Scott Carpenter
    11 April 2013 at 5:09 pm
    • HostGator
      11 April 2013 at 5:15 pm

      That’s pretty significant number of IPs, but only a drop in the bucket as far as what we’ve seen. Seems like a great plugin to install at this time, though.

      • Scott Carpenter
        11 April 2013 at 5:22 pm

        I have load monitoring widgets on my desktop and I haven’t had any issues since. 90,000 IPs….unbelievable!

        • Marvin Scott
          11 April 2013 at 6:32 pm

          To those interested, Limit Login Attempts didn’t work for me. They still hammered my sites even after “lockout”

          I recommend Better WordPress Security. Enable permanent blocking via htaccess after 3 or so attempts.

          • Amber Lea Starfire
            16 April 2013 at 8:26 am

            Last year, I was seriously hacked and blocked from my site — had to restore from a back up and even then had difficulty. I’ve been using Better WordPress Security and have had good success with it since. In addition to blocking sites, it has a number of other security enhancing features.

        • Phil Elmes
          15 April 2013 at 6:04 pm

          Not clear on this, Scott. Which plug-in are you recommending?

    • Joshua Greenwood
      11 April 2013 at 7:47 pm

      Same here. I have already blocked 2,000+ with this.

    • Jim Lynch
      14 April 2013 at 2:04 pm

      Oops, didn’t realize you had already posted it. I installed it on all of my blogs and, yes, it’s catching quite a few IP addresses and banning them.

  • HostGator
    11 April 2013 at 5:10 pm

    At this moment, your guess is as good as ours, Jedediah. It is certainly the actions of individuals who desire to cause disruption on a large scale.

    • HostGator
      11 April 2013 at 5:15 pm

      Glad to hear; always better to be safe than sorry.

  • Tyronne Ratcliff
    11 April 2013 at 5:17 pm

    What if I already have a strong password?

    • HostGator
      11 April 2013 at 5:19 pm

      Then you certainly have a head start, Tyronne. Keep an eye out for any unusual slowness and if you experience anything odd, go ahead and change that password if you don’t want to presently.

    • Scott Carpenter
      11 April 2013 at 5:19 pm

      They may not get in, but they will hit your server HARD. My load average jumped up to 40 last night and slowed everything else on my server to a horrible crawl

    • Jon
      12 April 2013 at 10:21 am

      If it ain’t broke don’t fix it. Keep an eye out.

  • Manuel Lopez
    11 April 2013 at 5:17 pm

    Thanks i have more thar 35 sites with wordpress in hostgator :D

    • HostGator
      11 April 2013 at 5:18 pm

      Keep those sites safe, Manuel. :)

  • Mike McKee
    11 April 2013 at 5:18 pm

    Get a copy of Spyder Spanker Pro.

  • Ravenwing
    11 April 2013 at 5:23 pm

    Thanks for letting us know! HostGator is amazing for the level of support we get. I switched from another host to HG about four months ago and I’m glad I did.

    • HostGator
      11 April 2013 at 5:29 pm

      We’re certainly happy to have you. :)

      • Rictastic Mulvay
        12 April 2013 at 6:39 pm

        yea i did too.. and am happy so far as well

      • Haydrion
        14 July 2013 at 10:47 pm

        What about Me ;(
        Thanks for this post ! I’m for years by Hostgator and I will never change !

  • HostGator
    11 April 2013 at 5:39 pm

    Should be, yes. Other than potential slowness you may experience due to less secure WP installs on the server.

  • Michelle Sullivan
    11 April 2013 at 5:55 pm

    I have a lot of sites on HostGator, but for most of them I can’t even get to admin – it’s timing out.

    • HostGator
      11 April 2013 at 6:01 pm

      Sounds like your server is heavily under attack at this moment. We appreciate your patience while we work to mitigate the situation; you should be able to log into your sites shortly.

      • Marvin Scott
        11 April 2013 at 6:07 pm

        Michelle, don’t believe your server is under heavy load. My admins are timing out too and my VPS reports 7% CPU. HG can’t you admit you are blocking us from accessing our admins?

        • HostGator
          11 April 2013 at 6:17 pm

          Marvin, we understand your frustration, but your particular circumstance isn’t necessarily everyone’s circumstance. If there was a lack of communication between the time you added a plugin and we implemented a fix that we knew worked, then it is possible that you’ve found yourself locked out, which we are happy to resolve for you, and I will personally take care of it you provide your ticket ID, bear in mind that we have an unusually high ticket queue due to this attack and therefore you may be experiencing a delay in response, which again i will bypass for you. Thank you in advance for no longer replying to comments with information that is not conducive to a proper resolution.

    • Jon
      12 April 2013 at 10:24 am

      I suggest that you check your site from pingdom tools which is an online load of your site, it will display the objects loaded, if any of them look dodgy then you may have an issue. You can also use to view admin page just to see if the issue is traffic or a hack.

  • Marvin Scott
    11 April 2013 at 6:03 pm

    I’ve already implemented effective Brute Force blocking solutions on my WP sites. My server load dropped to almost nothing lately. Yet still, I get up this morning and find that HostGator support had blocked access to all my wp-admin files for every site on my VPS. Guess I’m out of work until you fix this!

    HostGator, this is not providing me the service I paid for. Please address my support ticket and re-enable administration of my WP sites.

    • HostGator
      11 April 2013 at 6:12 pm

      Marvin, may I have your ticket ID please?

      • Marvin Scott
        11 April 2013 at 6:13 pm

        GHH-21540757

        • HostGator
          11 April 2013 at 6:19 pm

          Excellent, thank you. I am personally assigning as Admin to handle your issue at this moment.

  • Mark Harbert
    11 April 2013 at 6:09 pm

    How do we change the password when we can’t even get to the page to do it? I can’t even reach the login page at the moment to try and change the password. Any suggestions??????

    • Marvin Scott
      11 April 2013 at 6:11 pm

      Mark HG is blocking your access to WP Admin. A simple email to notify us of this would have saved me hours of troubleshooting and even made me think someone had actually gained access to my sites.

      • HostGator
        11 April 2013 at 6:14 pm

        This circumstance isn’t necessarily as indicated here; it could very well be a result of the server load causing the inaccessibility. No matter the cause, we are very diligently working at this very moment to get everything under control and restore proper access to all customers.

        • Marvin Scott
          11 April 2013 at 6:17 pm

          Then HG, are you saying you are not blocking access to wp-admin’s? My VPS CPU is 7% and I’m still unable to access my admins. Should I worry that a hacker has hijacked my wp-admins?

          • HostGator
            11 April 2013 at 6:21 pm

            Marvin, I cannot provide specific information relative to your particular account or server. I can tell you we did not do any type of wide-spread lockout of customers form their sites, but when situations like this are triaged there can sometimes occur thigns of this nature, which will be resolved quite literally as soon as humanly possible. I have escalated your ticket.

  • Nick
    11 April 2013 at 6:22 pm

    We felt the full force of this yesterday, it overloaded the server and caused our VPS to crash several times. One very helpful HG tech suggested we install the Better WP Security plugin which allows you to change the admin url. Once we did that for all of your WP sites the attacks stopped.

    • Marvin Scott
      11 April 2013 at 6:25 pm

      Nick, I agree. Better WP Security worked great for my WP sites. It reduced server load to very normal ranges. I set up to give three login attempts and then permanently block the ip via htaccess. It really worked.

      I also enabled 404 blocking for people scanning for vulnerable files.
      I continued to see many attempts, but they are blocked after just 3.

      • HostGator
        11 April 2013 at 6:32 pm

        Excellently done, Marvin. It’d be great if everyone would take their account security as seriously.

  • Austin ☃ Passy
    11 April 2013 at 6:37 pm

    Literally working on a plugin to block access to the wp-login.php page. This is a small add-on module to my current free WordPress Custom Login plugin in the WordPress repo (for version 2.0) dropping soon.

    Not going to help the current status, but for future use… ;)

  • Kayla Fay
    11 April 2013 at 7:10 pm

    Our passwords are very good. (Patting myself on the back.) I’m intimidated by the instructions to edit the wp-login.php file. Will installing limiting login attempts protect us in the short run?

    • HostGator
      11 April 2013 at 7:13 pm

      Installing that type of plugin should help to a degree, yes, though it is not a guaranteed permanent fix.

  • b5
    11 April 2013 at 7:15 pm
    • HostGator
      11 April 2013 at 7:29 pm

      Correct, this solution will not work on a Dedicated server. However, we do have a dedicated solution. May I have the IP of your dedicated server, please?

      • b5
        11 April 2013 at 7:43 pm

        Can I do it myself? I will rather contact live support than provide my IP to public in this situation.

        • HostGator
          11 April 2013 at 7:48 pm

          It’s an internal script that executes an .htaccess
          block for wp-login.php, not something we can instruct you to do yourself ..please go ahead and create a support ticket for us to do this for you, we presently have all hands on deck working these WordPress tickets as a priority, so we will get to your ticket very soon.

  • Tony Santos
    11 April 2013 at 7:27 pm

    I can’t even get into my busiest sites to implement Better WP Security!! What do I have to do to be able to even get in?? I’ve already denied all ip’s on .htaccess except for mine. And still nothing. Need some help here…

    • HostGator
      11 April 2013 at 7:31 pm

      It may be necessary for you to join us in LiveChat so that we can properly assist you in realtime with this, Tony.

      • Tony Santos
        11 April 2013 at 7:57 pm

        I am on livechat now.

      • Tony Santos
        11 April 2013 at 8:03 pm

        I gotta say it’s very frustrating having your chat support agent tell me to come to this blog post when I ALREADY told him I knew about it. Come on guys…

  • Alejandro Amo
    11 April 2013 at 8:56 pm

    all our wordpress installations already secured… check.
    thanks guys.

  • sombokit99
    11 April 2013 at 9:09 pm

    Thanks for your Info.

  • YammerHammer
    11 April 2013 at 10:36 pm

    Admit it…you guys WAY oversell server space. That is a large part of the problems your users see. Show us the respect of not trying to deny it. Your new owner is known for that sort of practice.

  • Brenda Michalski
    11 April 2013 at 10:36 pm

    how do I delete a website and my Url on wordpress? or just what do I have to do? the website is dead and want to start something totally differant.

  • Linda Sherman
    12 April 2013 at 2:21 am

    Thank you for staying on top of this HG!

  • Vajrasar Goswami
    12 April 2013 at 4:04 am

    I would suggest the use of all these measures together on your WordPress installation (s) –

    1) strong VERY strong password

    2) Limit Login Attempts (WordPress Free Plugin)

    3) Stealth Login Page (WordPress Free Plugin)

  • Victor Nganguem
    12 April 2013 at 4:55 am

    j’aime ça

  • TaiwanFriendFinder
    12 April 2013 at 8:33 am

    can we use cloudflare to block it ?

    or it won’t works ?

    • HostGator
      13 April 2013 at 11:58 am

      Cloudflare actually has stated that they have means of effectively mitigating the attack.

  • Artagene Skipper
    12 April 2013 at 9:01 am

    Never ending…Thanks for the heads up..

  • Auctionbunker USA
    12 April 2013 at 9:14 am

    Been having extremely slow or time page loads on server: gator677

  • Absurd Human
    12 April 2013 at 11:11 am

    You can also simply require that all requests to wp-login.php come from your site – this will stop a large amount of these automated attacks:

    Unfortunately a lot of the accounts hit are being successfully compromised. If you have been attacked (which is likely if you have a WordPress site), this guide shows how to clean up as well as add the .htaccess block to prevent automated logins:

    http://calladeveloper.blogspot.com/2013/04/global-wordpress-brute-force-attacks.html

  • Joseph Tamargo
    12 April 2013 at 11:20 am

    Thanks so much ! I have no fear with Snappy standing guard !

  • Diana
    12 April 2013 at 11:22 am

    My site is still down, I can’t even log in to my control panel or my wordpress site to change any passwords and tech support has no info for me…………what now?

    • HostGator
      13 April 2013 at 11:57 am

      Are you now able to log in, Diana?

  • Michael Schuster
    12 April 2013 at 12:36 pm

    This destroyed my birthday yesterday. Over 350 sites we host were affected. Not fun.

    • harry wiston
      1 May 2013 at 6:17 am

      Invest with just 100usd today and get 5000usd in return after 3days of business,This has really help many people out of their difficulties you can also be one of the part taker today.the higher you invest is the higher you will also get in return after 3days, contact us today via email….harrywiston002@gmail.com

  • IAbdussamad
    12 April 2013 at 1:19 pm
  • Max Katz
    12 April 2013 at 1:47 pm

    The mixture of uppercase, lowercase, etc. is NOT effective security countermeasure against a simple brute force attack. What you need is a longer password. Consider using a pass phrase such as a complete sentence. For instance, today’s quote of the day on brainyquote.com is “Where love is concerned, too much is not even enough.” Using a complete sentence like this is much easier to remember and many orders of magnitude more difficult to brute force, rendering your password mathematically unbreakable.

  • Ashish Gill
    12 April 2013 at 2:29 pm

    Thanks for this useful info. Really helpful.

  • Amming W. Widhonno
    12 April 2013 at 2:31 pm

    these was the relevant reason staying at the planet dallas, U rocked gator!
    so far, i’m placing htaccess file at wp-admin folder, and deny other IP than me to access admin page login

  • Techalam
    12 April 2013 at 3:29 pm

    This is really not a good news. Thanks for providing some useful tips and security measurements. Hope this issue ends soon. You guys are really supportive, glad to be Hostgator customer. Thanks :)

  • Ryan Kearney
    12 April 2013 at 4:20 pm

    HostGator, in addition to telling users to change their password, perhaps you should consider not storing users main cPanel password in plain text. Requiring users to provide their cPanel login to make changes to their account, and then storing it in your ticketing system is just nonsense.

  • Nancy Barth
    12 April 2013 at 9:31 pm

    Well, I went to my account settings and changed the password and now I can’t log into one of my blogs. I get this message.
    Server error
    The website encountered an error while retrieving http://calmabrave.com/remote-login.php?login=c4cf7baa20e5b3ca2f03a4e36e0d0d0d&id=37756552&u=af3e83e261b0d94e1772cb9d3569dd5b&h=. It may be down for maintenance or configured incorrectly.
    Here are some suggestions:
    Reload this webpage later.
    HTTP Error 500 (Internal Server Error): An unexpected condition was encountered while the server was attempting to fulfill the request.

  • Heather Jane Blythe
    12 April 2013 at 10:41 pm

    I’ve was attacked this morning. Locked out. A huge shout out to Joshua in support for promptly looking into it and getting my questions answered. Great service support

  • Corey Kretsinger
    12 April 2013 at 11:14 pm

    Thank you very much for this update. Now I understand some of what I’ve been noticing. Great job. Hostgator is still the best.

  • Sue Cockburn
    13 April 2013 at 12:13 am

    I’ve been dealing with HostGator for more than a year now and their service is absolutely second to none!! I’m not encouraging you to raise your prices but your service is worth twice what we pay. Seriously, I LOVE you guys!!!

    • HostGator
      13 April 2013 at 11:56 am

      Thank you, Sue!

  • Wolf
    13 April 2013 at 1:52 am

    I red your article from Knowledgebase and now I can access to the backend of my wordpress sites but there is still a issue: with chrome is all right but if I use Internet Explore I get a 406 http error page. Can you help me? Thank you.

    • HostGator
      13 April 2013 at 11:56 am

      That is an unusual error, Wolf. If you are still experiencing it, please join us in LiveChat so that we can take a good look and assist you in realtime.

      • Wolf
        14 April 2013 at 7:46 am

        I joined LiveChat but the operator told me that with that .htaccess I cannot access by I.E. but Chrome and FireFox

  • TysonChamp
    13 April 2013 at 3:39 am

    As i’m a hacker i will recommend other wordpress users to take advantage of security plugin available in wordpress plugin directory. also do not use the default admin profile… 1st login with the default admin username and then create another administration profile and then login with this new administration profile… after loged in delete the default admin profile…

  • Mohamed Khalifa
    13 April 2013 at 5:17 am
  • Frank Woodman Jr
    13 April 2013 at 12:16 pm

    Sadly we will only see more and more of such issues in the future so as you say we all need to take security very seriously. I set up sites with strong passwords and use any encryption that a site allows. One can’t be too careful as it’s never good to think that by not being security conscious you might cause others harm or inconvenience. .

  • Bob
    13 April 2013 at 1:41 pm

    I changed my .htaccess to allow only my ip.

  • WendyMusica
    13 April 2013 at 3:08 pm

    Well my site has been down twice this week and I’m not using wordpress, I’m using Drupal, do you know something about it?

  • Nick Ker
    14 April 2013 at 5:31 am

    Well this explains a lot. Have had several brute force attempts showing in Better WP Security plugin logs in the last few days.
    I’ve got login attempts limited, no Admin, limited 404s… everything but the .wp-admin protection advised by HG which I will do now.
    So far so good and best of luck to all.

  • Jim Lynch
    14 April 2013 at 2:04 pm
  • Keliweb
    15 April 2013 at 5:19 am

    very interesting topic, we experienced this with some blogs of us… thank you :)

  • JB
    15 April 2013 at 8:03 am

    “…If you are hosted…and you would like for us to take a more severe, heavy-handed approach to mitigate this attack, we can do this… via password-protecting (via .htaccess) all wp-login.php files on the server. If you would like our assistance with this, please contact us via normal support channels….”
    “…we must all take account security very seriously.”

    Um, Hostgator? I just paraphrased what you said. You have said that you have a solution that is severe and heavy-handed, but you’ve simply decided that you’re not going to apply it unless we pay. Well, we already pay. We pay for you to host our web sites, and that means applying fixes, any and every time, your systems are compromised. You’ve decided that you’re not going to unless we want to pay for to protect your own systems. You then state that we all need to take account security very seriously. How, exactly, do we protect YOUR systems? You need to apply your severe, heavy-handed approach to my e-commerce site. You have no right to keep your wash you hands of this and tell me that for yet more $$, you can put a Lo-Jack on my site. Here’s an idea. Go ahead and throw us a friggin bone and do your job, as an ISP, and appy any severe, heavy-handed approach that you might have, to you client’s sites.
    Here is the very simple business model:
    -I pay HG to host my e-commerce site
    -I make money from said site.
    -my site is compromised by an attack that I dont know about because I’m busy making money from the website HG is hosting. HG could keep my site more secure, but has decided not to.
    I get attacked. I dont make money- which means I cant pay for your service

    • HostGator
      15 April 2013 at 8:28 am

      JB, it is unfortunate that you inferred that there would be a cost associated with the aforementioned measure that is available to VPS and Dedicated servers. By and large, there is no additional cost whatsoever for the support we provide. This is simply something we leave up to the VPS and dedicated customers due to the fact that they have root access and may very well be taking their own precautions that we do not want to interfere with on the assumption that they would want this action taken on their behalf.

  • HostGator
    16 April 2013 at 8:24 am

    Yes, this is true. It is also true that you cannot change the username of admin. What you can do is create a new user with admin privileges and then log in as that user and delete the admin user; this accomplishes the same goal.

  • Ernest Burnett
    16 April 2013 at 9:37 am

    Thanks for the press release – I polled around for different web hosts and asked whether host gator would be able to verify twitter attacks on mail accounts hosted via host gator, and was pleased to hear you guys are able to check on this – (mention of strong passwords) here’s a link for a good client-side, javascript strong password generator – http://strongpasswordgenerator.com/

  • Kickmag
    17 April 2013 at 8:49 am

    I’m with a different hosting company but I think I’m switching to Host Gator.

    • HostGator
      17 April 2013 at 9:11 am

      We’ll be happy to have you!

  • Nathan Reimer
    18 April 2013 at 3:30 pm
  • Josh Rich
    22 April 2013 at 12:14 pm

    Would you happen to have any updates to this issue? Is the attack still ongoing?

    • HostGator
      22 April 2013 at 3:48 pm

      Yes Josh, at this time this is still an on-going situation.

  • patscomputerservices
    22 April 2013 at 8:34 pm

    A question. I have my wp-admin panel set up, so that I have to log in twice when accessing it from a web browser. Does that mitigate this attack, or are they able to bypass this?

    Thanks, and have a great day.:)
    Patrick.

  • Victor Nganguem
    30 April 2013 at 3:50 am

    grand merci

  • NickZoom
    1 May 2013 at 10:16 am

    I’ve switched to Hostgator too, as my sites were hacked on the other host and are still being attacked as I haven’t moved them all. They kept going down everyday first once every few days then daily then they would redirect. yesterday crazydomains.com.au was advertising .com domains for $3 but the site was taken over and my computer security block it, you could see the site was not fully displaying as it was a phony site copy that would appear when the real address was in the browser firefox

  • ed
    23 May 2013 at 8:55 am
  • Cory Church
    26 May 2013 at 10:20 am

    so its been over a month. Whats the status of this attack? still going strong?

    • HostGator
      29 May 2013 at 4:44 pm

      Yes Cory, it is still on-going however for all intents and purposes has been mitigated.

  • Jason Lemington
    27 May 2013 at 9:47 am
  • Ethan Green
    15 June 2013 at 12:18 pm

    How do you know if you’ve been hacked?

  • Peter
    24 June 2013 at 12:06 am

    This is a very intresting article…great content i’m really impressed by your thoughts thanks for sharing your experience

  • Jason Marks
    24 June 2013 at 9:18 pm

    the support is great, but there’s no way currently in place to fix these problems. i’d appreciate if there was a way to quickly save everything to one file locally, purge and open a new account on a new server and reupload without downtime. PLENTY of places follow this protocol.

  • Rajesh Deepak
    4 July 2013 at 11:45 am

    Hi,

    Several times some one write something better in their blog but no one observe this and post his comments…….now i started to write the article on my blog with authenticity and in unique mode…..please post your comments and suggestion if you like it………..blog URL are undermentioned…..

    http://respondindia.com

    Rajesh Deepak

  • Rajesh Deepak
    4 July 2013 at 11:46 am
  • uproview
    16 July 2013 at 4:17 pm

    Uau. Is there a way to resolve this.

  • Airat Zakirov
    23 July 2013 at 4:17 pm
  • Linda Woodard
    25 July 2013 at 7:57 am

    Is there something going on with Word Press today 7/25/13? I cannot access my website nor can I get into the back administrative office of my website.

  • Karen D. Clawson
    6 September 2013 at 6:51 pm

    Saw a message where the attacks have launched again; our website host is trying to take the remedial action outlined here, but so far no luck in getting us logged back in. Before, if I attempted several times, I’d be successful, but not this time!