Recent Wordpress Vulnerabilities - Brute Force Login and Cache

Discussion in 'Security' started by seenBEST, Apr 29, 2013.

  1. seenBEST

    seenBEST New Member


    I've been reading about two fairly major Wordpress exploits recently, do you have any recommendations for these? I'm a KnownHost VPS customer.

    The first involves wp-login.php and brute force attacks. Does a KnownHost firewall automatically block the bots that are taking advantage of this exploit? What are the ideal firewall settings to protect against it?

    The second is the W3 Total Cache and WP Super Cache exploits. Obviously, updating these plugins is very important. Does KnownHost automatically update plugins such as these on VPS accounts, or is there some way to subscribe to a notification service that will let us know when you find problems such as these as well as provide instructions on how to fix them?
  2. Big Dan

    Big Dan New Member

    For myself and clients I've removed WP Super Cache and W3-Total-Cache. It's not just a matter of removing the plugin folder. There are other files in wp-content as well as an edit to .htaccess and wp-config.php to completely remove W3. I'm now using Quick Cache on WP powered sites.

    As for the login.php brute force attacks here's two tips for you:
    1. Get rid of the admin user. Admin is the default user name; that just leaves you that much easier to attack. The hackers already know half the combination to login.
    2. Use a strong password (letters, numbers, special characters).
    You may want to consider sticking CloudFlare in front of your domain. They're pretty awesome at detecting and mitigating brute force and DDOS attacks. In addition CloudFlare makes your site faster by caching static content and serving it from datacenters closest to the browser. It's free, btw.
    Chimpie likes this.
  3. KH-Jonathan

    KH-Jonathan Director of Managed Services Staff Member

    Cloudflare is indeed filtering the wp-login attacks now, but I think much of those attacks have subsided across most of the internet. We've not seen the attack in at least a week now.
  4. Shawn McNair

    Shawn McNair New Member

    Wordfence is your friend. It locks out attempts to a number of times you choose, shady bot blocks... You'll have to read their documents before I attempt a hen peck. It has helped me big time with WP sites enough to say it's mandatory.
    Jean Egan and KH-DavidL like this.
  5. KH-DavidL

    KH-DavidL Abuse & Documentation Specialist Staff Member

    Great to see someone else enjoying the benefits of WordFence. When I have to use WordPress, WordFence is a must for me as well.
    Jean Egan likes this.
  6. Shawn McNair

    Shawn McNair New Member

    Literally while sleeping.

    "This email was sent from your website "lalalalalala" by the Wordfence plugin.

    Wordfence found the following new issues on "lalalalalala".

    Alert generated at Friday 24th of October 2014 at 10:16:57 AM
    Critical Problems:

    * File contains suspected malware URL: /home/.............."
  7. KH-DavidL

    KH-DavidL Abuse & Documentation Specialist Staff Member

    Have you gotten it taken care of or do you need assistance?
    Jean Egan likes this.
  8. Shawn McNair

    Shawn McNair New Member

    No sir I'm good (pretty sure).
    Plugin went south on small network and it was deleted via FTP. Wordfence is scanning now with better results.
    Thanks for asking.

    Not to be anybodies daddy but, in my opinion just because a plugin came from WP repository doesn't mean the developer wont abandon updates or had evil in mind. WP's footprint is a huge target and if yours gets popped it (for me) can question and second guess your efforts.
    I came here mostly for security because shared hosting and the easy-ness of WP has created a lot of yin/yang. It drove me nutts.

    Lastly never ever install a nulled plugin or theme.
    Good luck and build it solid!
    Chimpie likes this.
  9. Nelson Timken

    Nelson Timken New Member

    Maybe you could have suggested this to me David when I asked you for assistance instead of just suspending the account and my church's web site.
    You have acted like a real dick towards me, and rest assured, every vBulletin web site will hear about your Nazi tactics.
  10. KH-DanielP

    KH-DanielP KH-COO Staff Member

    @Nelson Timken

    I do apologize that David did not offer this to you in the abuse ticket, we walk a fine line between providing managed services and trying not to step into the development world of things. I do not believe his tacits were Nazi by any means and we do understand that it is a fine line between having out of date scripts and having the time to get them patched once compromised. I'm already working with you in the sales ticket and I do hope we can come to a mutual resolution.
    Jean Egan likes this.
  11. Nelson Timken

    Nelson Timken New Member

    I have installed WordFence, and hope that it will help. I am not looking to jeopardize the server.

    As for David, I authorized him to update the WordPress after I tried to do so TWICE and it did not update all the files when I clicked the update link. I also authorized him to remove malicious files. Why there was a need to suspend my church's web site when I did not respond fast enough, well, I will leave that to you. I asked him several times for HELP preventing this from happening, and all he said was "update the WordPress". Interesting to see his post here.

    Yes, You have been helpful.
  12. KH-DanielP

    KH-DanielP KH-COO Staff Member

    @Nelson Timken

    We did indeed get WordPress updated for you and removed the first round of malicious files. I think the problem occurred when we identified a second set of malicious files but did not have express permission for their removal.

    I think you would agree that we have to be very careful in regards to removal of files from a customers site that have the potential to break it. Obviously if they were 100% malicious files (shells, mailers etc) it wouldn't be an issue, but when they are compromised files that also operate the website often times it is very hard for us to tell what may or may not be in use, which is why we rely on the customers knowledge of those files as well.

    He was correct that keeping WordPress upto date is the number one option and it's hard to know what's correct for every scenario but as I mentioned I'll review over everything to see what else we can do to adjust that process out.
    Jean Egan likes this.
  13. Jean Egan

    Jean Egan New Member

    I use WordFence, Sucuri & Bulletproof Security (BPS) for my WordPress sites. They complement each other in what they protect on the site. They do all need to be read through and set up to work well. I've been keeping a "cheat sheet" on my local drive for what settings I use that I update as the settings grow and change :) For instance, I was avoiding "hardening" the wp-content folder because it was conflicting with BPS - until it dawned on me that Sucuri was just denying ALL access - I changed it to allow access by my server, my site and my IP and I can harden that folder in Sucuri now. (Using my "cheat sheet" code.)

    I've been very happy with KnownHost support. They go above and beyond what any other host I've been with before has gone and I appreciate that very much.

Share This Page