The last few days I have been having trouble getting into the admin functions of this blog. I initially thought I had done something to corrupt the files or something, I just could not figure out what was wrong. I spent hours looking through tech support forums that were way too “techie” for me to comprehend, and I began to despair…
Tuesday was a horrible day for me for multiple reasons, not being able to access my blog was only one thing that had me about ready to explode or crumble – one or the other – or both! I was upset.
Then, the next morning, it occurred to me to check my provider/hosting website to see what I could perhaps find there to assist me. And I found a way to request my access info to be resent and my password reset – so I did that – and then was able to get in. I was ecstatic.
However: This morning I again started having the same problems! I again logged into my hosting account. And lo and behold, the first thing I saw there was this:
Explaining Recent WordPress Service Activity
4/11/2013 5:15pm EST Update:
“At this time we are still working to fight against the brute-force attacks on WordPress sites. We want to clarify that this is not an issue exclusive to our hosting platform or even vDeck. The hackers have targeted WordPress sites hosted across a multitude of brands, and we are working alongside other partners in the industry to determine how we can resolve the issues we’re all facing. As we continue to focus all of our energy on the attack, we apologize for any additional delays with our support response-times. We can assure you that our staff is working overtime to eliminate the threat while keeping up with as many support tickets as possible. We take pride in delivering reliable and solid support so again, we apologize to any and all of our customers who may be affected by this delay. We appreciate your patience and understanding.”
Thank goodness I didn’t do anything to cause my problems and I am not crazy; nor am I the only one apparently having this issue. Nor, apparently, do I need to try to understand all – or any – of this techie gobbledygook in order to fix it. Thankfully! But…
I HATE HACKERS. THIS HAS CAUSED ME MUCH DISTRESS.
… And apparently this has been a very serious problem affecting many, many people:
04/12/13 at 16:33 ET Update on the WordPress “Brute Force” Attack
As you may know, Tuesday, a widespread “brute force” attack against WordPress sites started impacting sites across the internet. This attack is leveraging a botnet which looks to have more than one hundred thousand different computers at its disposal. Its intent is very simple: to find and compromise WordPress sites with simple passwords, to likely later use them to distribute malware (and further increase the size of the botnet).
On Tuesday, our admins discovered this attack as we investigated increased load and decreased performance on our hosting servers. We quickly identified this as a widespread attack on the WordPress login page. The attack was a large one (hundreds of hits a second to many WordPress sites spread across our infrastructure). It became quickly obvious we needed to act fast. At this point, the fastest solution was to drop all traffic to the WordPress login page (wp-login.php) while we worked on a better plan.
The downside to this, of course, is that we blocked legitimate access for customers who wanted to login to WordPress. We knew that was not an acceptable solution for very long, so we immediately went to work on a better solution. We truly apologize if we kept you from logging into your WordPress, but we felt that keeping your site up (but not allowing you to login), was the better option.
With the infrastructure stabilized, we dug in and started investigating better solutions. We reached out to some partners and other groups on the web, and collaborated on some security rules that would help mitigate the attack. These security rules are, in a sense, rules based on behavior: if a single IP address or browser used the wrong password on a WordPress site more than a handful of times in a few minutes, we would ban that IP address for a period of time. This rule would help us allow legitimate customers to login to WordPress, but would stop the attacker after a number of bad attempts.
We rolled these changes out Tuesday afternoon. It took a few tries to find the right balance to block the bad guy but not keep a legitimate user from logging into their WordPress site. The attack subsided overnight.
The attack returned in force on Wednesday as we reached peak business hours. This made it obvious that the attack was based off a botnet—likely using the computers of unsuspecting office workers coming in for a normal day of work! We spent Wednesday tweaking rules and working with other folks in the industry to share tips, tricks, and findings.
By this point, between ourselves and our partners, we were approaching having flagged nearly that hundred thousand IP addresses, and more new IP addresses were showing up every second. Even though we were stopping much of the attack, it was so large that simply handling the traffic was starting to impact our servers.
The team was able to keep things stable for most of Wednesday, working hard to tweak rules as we or our colleagues identified new trends.
By Thursday, it was clear that the attack was not subsiding. The first thing we did was to roll out a new heuristic-based set of rules, that would look historically at our growing set of log data, identify patterns, and block the attack based on that data, not just on current bad behavior, but combinations of bad behavior.
That put a big dent into the attack. But the attack was still big enough to be causing our servers to run at a higher than normal load.
Our breakthrough happened on Thursday, as our team looked through data on the web and data in our logs. We found a difference between the way the attack accesses WordPress and legitimate customers access WordPress. Thursday afternoon, we rolled that change out to our edge servers (before the traffic even reaches the web server that might be hosting your site) to drop any traffic that didn’t look legitimate.
Hundreds of hits a second dropped to nearly none.
We’ve been rolling this change out across our data centers and seeing much of the attack mitigated. This is allowing us to focus less on just keeping things running and more on the proactive work of heading off the next variant of this attack. The attack, as it usually does, has started to pick up again today during peak business hours, but thus far, we’re not feeling the effects.
We head into the weekend in good shape, but vigilant against a returning or altered attack. In the meantime, our support team is ready to help you if you are feeling any lingering effects (the most common one might be if your IP got marked as a possibly bad IP). If you’d like to help make your site stronger, we recommend changing your WordPress password to a secure one, if you haven’t already.
I am very grateful to my Service Provider and their good work:
But like I said before: