The recent widespread attack on WordPress sites

While we may not have been the first to report this, we have been quietly gathering information and watching.

First, I’d like to start off by saying that this is the “current” attack and most of the suggestions online are temporary fixes for this attack. What about the rest of the time? What about the next attack?

Next, blocking by IP is not going to work. This botnet is so large that the IP addresses could come from anywhere: overseas or even here in the US. This is like blocking user-agents and other easily spoofable settings. Hackers are too smart for this.

Setting your .htaccess to only allow access to your wp-admin or wp-login.php is not going to work for everyone. Most people are still on dynamic IP addresses, so locking it down to a select group of IP’s will lock you out and yes you could go into FTP and delete, but who is going to do that on a regular basis? And, are you going to go back after you’ve logged in and change that .htaccess again? and again?

We have seen in more recent attacks that once the hackers infect a local computer, they can launch their attack from there. So the IP address looks like the attack came from your computer.

Also, changing the location of the wp-admin or wp-login.php file is going to help you on this attack, but the more frequent attack we see is the password stealing trojan.

This trojan has infected PCs and Macs and it steals the URL, username and password sequence. You could change the URL and change your username to: rumplestiltskin and have a password that’s twice as long as the english alphabet and you’re still going to have an infected website if you have the password stealing trojan.

If you want to know the username, even if it’s been changed and admin removed, try this with your URL:

Replace the above URL before the ? with the exact URL to your blog. If you get a valid response, you know that you have the admin user still intact. If you’ve changed the admin user or deleted it, you’ll get a response that says something like:

Sorry, but you are looking for something that isn’t here.

To keep searching, change the 1 to a 2 and see what happens. If you get a valid response your URL will have something like:

Now you know the userID and the username name. Add your dictionary of passwords and continue.

You could also password protect the wp-admin folder with an .htaccess file. Guess what? The password stealing trojan steals all the information to a successful login even the secondary passwords.

Over the past 2 weeks, we’ve cleaned 1,978 infected websites and 1,755 of them were compromised due to the password stealing trojan. (62% of the people we’ve helped were using Macs). We have the log files to prove it. We see a website owned by someone here in the US and we see successful logins from all over the world. That is proof.

We hear all the time, “I don’t need anti-virus because I’m on a Mac”. Or, “I don’t have a virus. I know what websites to stay away from.” Really? Because that persons website was infected and was attacking a browser exploit on the computer’s of visitors to his site. Surely that person must stay away from their own website then, right?

What does work?

Keep your local computer clean. Install something to detect malicious behavior.

Two-factor authentication works. Captcha is good for now, but we keep seeing reports where hackers have cracked many captchas. But for the automated attacks of hackers, it works well.

Use something like LastPass or on a Mac use KeyChain. Do not save the login credentials in your browser – DO NOT! This is too easy for hackers to steal.

Create a separate user on your local computer and use that for day-to-day work and only log in as administrator when you need to do updates or install software. Keep in mind that when a virus/trojan breaches your computer it has the same access as the currently logged in user. If you have admin rights, guess what? So does the virus/trojan.

In our honeypot analysis of this current attack, it appears that while the hackers are using a dictionary attack of pre-created passwords, they also have buried in their password lists legitimate passwords stolen from computers.

We see the attempted passwords and too many of them are so bizarre that they couldn’t have been part of a computer generated password dictionary.

If you want to hide your real intention, why not bury it inside a larger attack that will cause a lot of frenzy and confusion?

We believe the hackers responsible for this attack are sitting back and laughing at the frenzy they’ve created knowing that their real intention totally slipped by everyone – well almost everyone.