As I type these words, there is an on-going and highly-distributed, global attack on WordPress installations across virtually every web host in existence. This attack is well organized and again very, very distributed; we have seen over 90,000 IP addresses involved in this attack.
At this moment, we highly recommend you log into any WordPress installation you have and change the password to something that meets the security requirements specified on the WordPress website. These requirements are fairly typical of a secure password: upper and lowercase letters, at least eight characters long, and including “special” characters (^%$#&@*).
You have now changed your WordPress password, correct? Good.
The main force of this attack began last week, then slightly died off, before picking back up again yesterday morning. No one knows when it will end. The symptoms of this attack are a very slow backend on your WordPress site, or an inability to log in. In some instances your site could even intermittently go down for short periods.
We are taking several steps to mitigate this attack throughout our server farm, but in the same breath it is true that in cases like this there is only so much that can actually be done. The servers most likely to experience service interruptions will be VPS and Dedicated servers hosting high numbers of WordPress installations, due to the incredibly high load this attack has been seen to cause.
If you are hosted on a VPS or Dedicated server and you would like for us to take a more severe, heavy-handed approach to mitigate this attack, we can do this via means such as password-protecting (via .htaccess) all wp-login.php files on the server. If you would like our assistance with this, please contact us via normal support channels.
Again, this is a global issue affecting all web hosts. Any further information we could provide at this moment would be purely speculation. Our hope is that this attack ends soon, but it is a reminder that we must all take account security very seriously.
We will update this blog post when we have further information.
**UPDATE**
If you have just a few WordPress sites, you can add the additional layer of security mentioned above, as well as block this attack, by following the instructions outlined in this article from our KnowledgeBase: http://support.hostgator.com/articles/specialized-help/technical/wordpress/wordpress-login-brute-force-attack
Thank you for the heads up! You guys really know how to look after your clients.
We do what we can, Kerry. We certainly like to get the information out there and assist our customers in helping themselves as much as possible.
I installed this plugin and it’s already blocked 18 IPs in 9 hours: http://wordpress.org/extend/plugins/limit-login-attempts/
That’s pretty significant number of IPs, but only a drop in the bucket as far as what we’ve seen. Seems like a great plugin to install at this time, though.
I have load monitoring widgets on my desktop and I haven’t had any issues since. 90,000 IPs….unbelievable!
To those interested, Limit Login Attempts didn’t work for me. They still hammered my sites even after “lockout”
I recommend Better WordPress Security. Enable permanent blocking via htaccess after 3 or so attempts.
Last year, I was seriously hacked and blocked from my site — had to restore from a back up and even then had difficulty. I’ve been using Better WordPress Security and have had good success with it since. In addition to blocking sites, it has a number of other security enhancing features.
Same here. I have already blocked 2,000+ with this.
At this moment, your guess is as good as ours, Jedediah. It is certainly the actions of individuals who desire to cause disruption on a large scale.
Glad to hear; always better to be safe than sorry.
What if I already have a strong password?
Then you certainly have a head start, Tyronne. Keep an eye out for any unusual slowness and if you experience anything odd, go ahead and change that password if you don’t want to presently.
They may not get in, but they will hit your server HARD. My load average jumped up to 40 last night and slowed everything else on my server to a horrible crawl
If it ain’t broke don’t fix it. Keep an eye out.
Thanks i have more thar 35 sites with wordpress in hostgator :D
Keep those sites safe, Manuel. :)
Get a copy of Spyder Spanker Pro.
Thanks for letting us know! HostGator is amazing for the level of support we get. I switched from another host to HG about four months ago and I’m glad I did.
We’re certainly happy to have you. :)
yea i did too.. and am happy so far as well
What about Me ;(
Thanks for this post ! I’m for years by Hostgator and I will never change !
Should be, yes. Other than potential slowness you may experience due to less secure WP installs on the server.
I have a lot of sites on HostGator, but for most of them I can’t even get to admin – it’s timing out.
Sounds like your server is heavily under attack at this moment. We appreciate your patience while we work to mitigate the situation; you should be able to log into your sites shortly.
Michelle, don’t believe your server is under heavy load. My admins are timing out too and my VPS reports 7% CPU. HG can’t you admit you are blocking us from accessing our admins?
Marvin, we understand your frustration, but your particular circumstance isn’t necessarily everyone’s circumstance. If there was a lack of communication between the time you added a plugin and we implemented a fix that we knew worked, then it is possible that you’ve found yourself locked out, which we are happy to resolve for you, and I will personally take care of it you provide your ticket ID, bear in mind that we have an unusually high ticket queue due to this attack and therefore you may be experiencing a delay in response, which again i will bypass for you. Thank you in advance for no longer replying to comments with information that is not conducive to a proper resolution.
I suggest that you check your site from pingdom tools which is an online load of your site, it will display the objects loaded, if any of them look dodgy then you may have an issue. You can also use to view admin page just to see if the issue is traffic or a hack.
I’ve already implemented effective Brute Force blocking solutions on my WP sites. My server load dropped to almost nothing lately. Yet still, I get up this morning and find that HostGator support had blocked access to all my wp-admin files for every site on my VPS. Guess I’m out of work until you fix this!
HostGator, this is not providing me the service I paid for. Please address my support ticket and re-enable administration of my WP sites.
Marvin, may I have your ticket ID please?
Excellent, thank you. I am personally assigning as Admin to handle your issue at this moment.
How do we change the password when we can’t even get to the page to do it? I can’t even reach the login page at the moment to try and change the password. Any suggestions??????
Mark HG is blocking your access to WP Admin. A simple email to notify us of this would have saved me hours of troubleshooting and even made me think someone had actually gained access to my sites.
This circumstance isn’t necessarily as indicated here; it could very well be a result of the server load causing the inaccessibility. No matter the cause, we are very diligently working at this very moment to get everything under control and restore proper access to all customers.
Then HG, are you saying you are not blocking access to wp-admin’s? My VPS CPU is 7% and I’m still unable to access my admins. Should I worry that a hacker has hijacked my wp-admins?
Marvin, I cannot provide specific information relative to your particular account or server. I can tell you we did not do any type of wide-spread lockout of customers form their sites, but when situations like this are triaged there can sometimes occur thigns of this nature, which will be resolved quite literally as soon as humanly possible. I have escalated your ticket.
We felt the full force of this yesterday, it overloaded the server and caused our VPS to crash several times. One very helpful HG tech suggested we install the Better WP Security plugin which allows you to change the admin url. Once we did that for all of your WP sites the attacks stopped.
Nick, I agree. Better WP Security worked great for my WP sites. It reduced server load to very normal ranges. I set up to give three login attempts and then permanently block the ip via htaccess. It really worked.
I also enabled 404 blocking for people scanning for vulnerable files.
I continued to see many attempts, but they are blocked after just 3.
Excellently done, Marvin. It’d be great if everyone would take their account security as seriously.
Installing that type of plugin should help to a degree, yes, though it is not a guaranteed permanent fix.
I tried your solution from http://support.hostgator.com/articles/specialized-help/technical/wordpress/wordpress-login-brute-force-attack
and it works for shared hosting, but no luck with dedicated hosting. Getting “wrong redirection message” in FF for wp-login.php and 404 redirect to wordpress page for /wp-admin/.
Correct, this solution will not work on a Dedicated server. However, we do have a dedicated solution. May I have the IP of your dedicated server, please?
Can I do it myself? I will rather contact live support than provide my IP to public in this situation.
It’s an internal script that executes an .htaccess
block for wp-login.php, not something we can instruct you to do yourself ..please go ahead and create a support ticket for us to do this for you, we presently have all hands on deck working these WordPress tickets as a priority, so we will get to your ticket very soon.
I can’t even get into my busiest sites to implement Better WP Security!! What do I have to do to be able to even get in?? I’ve already denied all ip’s on .htaccess except for mine. And still nothing. Need some help here…
It may be necessary for you to join us in LiveChat so that we can properly assist you in realtime with this, Tony.
all our wordpress installations already secured… check.
thanks guys.
Thanks for your Info.
how do I delete a website and my Url on wordpress? or just what do I have to do? the website is dead and want to start something totally differant.
Thank you for staying on top of this HG!
I would suggest the use of all these measures together on your WordPress installation (s) –
1) strong VERY strong password
2) Limit Login Attempts (WordPress Free Plugin)
3) Stealth Login Page (WordPress Free Plugin)
Never ending…Thanks for the heads up..
Thanks so much ! I have no fear with Snappy standing guard !
My site is still down, I can’t even log in to my control panel or my wordpress site to change any passwords and tech support has no info for me…………what now?
Are you now able to log in, Diana?
This destroyed my birthday yesterday. Over 350 sites we host were affected. Not fun.
The mixture of uppercase, lowercase, etc. is NOT effective security countermeasure against a simple brute force attack. What you need is a longer password. Consider using a pass phrase such as a complete sentence. For instance, today’s quote of the day on brainyquote.com is “Where love is concerned, too much is not even enough.” Using a complete sentence like this is much easier to remember and many orders of magnitude more difficult to brute force, rendering your password mathematically unbreakable.
Thanks for this useful info. Really helpful.
This is really not a good news. Thanks for providing some useful tips and security measurements. Hope this issue ends soon. You guys are really supportive, glad to be Hostgator customer. Thanks :)
HostGator, in addition to telling users to change their password, perhaps you should consider not storing users main cPanel password in plain text. Requiring users to provide their cPanel login to make changes to their account, and then storing it in your ticketing system is just nonsense.
I’ve was attacked this morning. Locked out. A huge shout out to Joshua in support for promptly looking into it and getting my questions answered. Great service support
Thank you very much for this update. Now I understand some of what I’ve been noticing. Great job. Hostgator is still the best.
I’ve been dealing with HostGator for more than a year now and their service is absolutely second to none!! I’m not encouraging you to raise your prices but your service is worth twice what we pay. Seriously, I LOVE you guys!!!
Thank you, Sue!
I red your article from Knowledgebase and now I can access to the backend of my wordpress sites but there is still a issue: with chrome is all right but if I use Internet Explore I get a 406 http error page. Can you help me? Thank you.
That is an unusual error, Wolf. If you are still experiencing it, please join us in LiveChat so that we can take a good look and assist you in realtime.
I joined LiveChat but the operator told me that with that .htaccess I cannot access by I.E. but Chrome and FireFox
As i’m a hacker i will recommend other wordpress users to take advantage of security plugin available in wordpress plugin directory. also do not use the default admin profile… 1st login with the default admin username and then create another administration profile and then login with this new administration profile… after loged in delete the default admin profile…
Sadly we will only see more and more of such issues in the future so as you say we all need to take security very seriously. I set up sites with strong passwords and use any encryption that a site allows. One can’t be too careful as it’s never good to think that by not being security conscious you might cause others harm or inconvenience. .
I changed my .htaccess to allow only my ip.
Well my site has been down twice this week and I’m not using wordpress, I’m using Drupal, do you know something about it?
Well this explains a lot. Have had several brute force attempts showing in Better WP Security plugin logs in the last few days.
I’ve got login attempts limited, no Admin, limited 404s… everything but the .wp-admin protection advised by HG which I will do now.
So far so good and best of luck to all.
“…If you are hosted…and you would like for us to take a more severe, heavy-handed approach to mitigate this attack, we can do this… via password-protecting (via .htaccess) all wp-login.php files on the server. If you would like our assistance with this, please contact us via normal support channels….”
“…we must all take account security very seriously.”
Um, Hostgator? I just paraphrased what you said. You have said that you have a solution that is severe and heavy-handed, but you’ve simply decided that you’re not going to apply it unless we pay. Well, we already pay. We pay for you to host our web sites, and that means applying fixes, any and every time, your systems are compromised. You’ve decided that you’re not going to unless we want to pay for to protect your own systems. You then state that we all need to take account security very seriously. How, exactly, do we protect YOUR systems? You need to apply your severe, heavy-handed approach to my e-commerce site. You have no right to keep your wash you hands of this and tell me that for yet more $$, you can put a Lo-Jack on my site. Here’s an idea. Go ahead and throw us a friggin bone and do your job, as an ISP, and appy any severe, heavy-handed approach that you might have, to you client’s sites.
Here is the very simple business model:
-I pay HG to host my e-commerce site
-I make money from said site.
-my site is compromised by an attack that I dont know about because I’m busy making money from the website HG is hosting. HG could keep my site more secure, but has decided not to.
I get attacked. I dont make money- which means I cant pay for your service
JB, it is unfortunate that you inferred that there would be a cost associated with the aforementioned measure that is available to VPS and Dedicated servers. By and large, there is no additional cost whatsoever for the support we provide. This is simply something we leave up to the VPS and dedicated customers due to the fact that they have root access and may very well be taking their own precautions that we do not want to interfere with on the assumption that they would want this action taken on their behalf.
Yes, this is true. It is also true that you cannot change the username of admin. What you can do is create a new user with admin privileges and then log in as that user and delete the admin user; this accomplishes the same goal.
We’ll be happy to have you!
Would you happen to have any updates to this issue? Is the attack still ongoing?
Yes Josh, at this time this is still an on-going situation.
I’ve switched to Hostgator too, as my sites were hacked on the other host and are still being attacked as I haven’t moved them all. They kept going down everyday first once every few days then daily then they would redirect. yesterday crazydomains.com.au was advertising .com domains for $3 but the site was taken over and my computer security block it, you could see the site was not fully displaying as it was a phony site copy that would appear when the real address was in the browser firefox
so its been over a month. Whats the status of this attack? still going strong?
Yes Cory, it is still on-going however for all intents and purposes has been mitigated.
Is there something going on with Word Press today 7/25/13? I cannot access my website nor can I get into the back administrative office of my website.
Saw a message where the attacks have launched again; our website host is trying to take the remedial action outlined here, but so far no luck in getting us logged back in. Before, if I attempted several times, I’d be successful, but not this time!