How iPage Stopped WordPress Hackers & Their Botnet
For over a week now, the popular CMS platform WordPress has been getting slammed by a massive botnet of a claimed 90,000 machines. The hackers have been attempting to brute force their way into accounts that use weak passwords and are using the standard WordPress username ‘admin’.
The botnet is comprised of machines infected with malware, with most of the users of these computers unaware they are part of these attacks. The botnet channels bandwidth from these machines and attempts to crack passwords of WordPress sites that a) Use the default URL for logging in, /wp-admin and b) use the default username ‘admin.
WordPress founder Matt Mullenweg quickly posted up the solution to stop these attacks on his blog and recommended that WordPress users do the following:-
- Change the username ‘admin’ to anything else that doesn’t leave a footprint such as your name.
- Create a strong password, by using at least 8 characters, a mix of upper and lower-case letters and to throw in some numbers.
- Upgrade WordPress to the latest version.
- Turn on two-factor authentication if you are using a WordPress hosted blog on WP.com.
The above precautions stopped sites from being cracked into, BUT this still didn’t stop the hack attempts from taking servers down.
When you have thousands of IP addresses hitting a site at the same time it causes a distributed denial-of-service (DDoS) attack. Mosted hosted websites can’t handle that many connections at any given time and will become unresponsive and inaccessible.
What Did iPage Do to Stop the Flood Of Connections?
Firstly, as soon as the attack started happening on the 4/11/2013, iPage quickly blocked all access to the /wp-login.php page. This was the only page being attacked and blocking this page from being accessed, stopped the attacks, but at the same time, blocking this page meant users couldn’t access their admin area of WordPress.
Secondly, iPage started enabling their filters and blocked out the IP addresses by establishing a secure firewall. With the infrastructure stabilized they banned IP addresses that used multiple login attempts to the WordPress Admin area. With so many IP addresses hitting their servers they needed to find a better solution.
By Thursday the network infrastructure team made an almost permanent solution. By looking at the data in the logs they found a footprint in the way the botnet was accessing WordPress. It was different to how a normal user accesses their website. A new change to block out this unusual pattern was rolled out to the server and saw hundreds of hits per second, drop to almost none!
We highly commend iPage for their prompt service in rectifying the underlying problem. Not only did they come up with the solution quickly, they worked around the clock to satisfy their customers.
