How We Were Attacked
Attack Summary of the past 24 hours
Over a number of months we were subjected to a new wave of XMLRPC based attacks (along with other attacks), which was hugely ramped up at the end of July and peaked on the 4th August having taken down the website. The attack however did continue over the next few days, and does today.
On the 4th we believe that at the point our site was forced out of service, approx 89% of requests were attacking the website using the XMLRPC method.
This ‘new exploit’ is in its most basic form a Brute Force attack to attempt to gain login to the admin system. These attacks are common and leverage “normal usernames” and dictionaries of thousands of “average passwords” and these are used again and again to try and gain access in the hope the password is considered weak or comprimised. (This is why when even hashed / secured password databases are comprimised the service will enforce a full password refresh).
The XMLRPC vector uses wp.getUserBlogs method within wordpress to try and gain access, this is a move from the normal attack vector of wp-config.php to an API based attack which is hugely faster and much more productive to hackers.
Thankfully, SEOAndy is protected by an addition from the last attack to our Linux VPS called CloudLinux by my web hsting company SW Broadband. This meant that once the resources of SEOAndy were used up the site went down and did not effect the other sites on the server – keeping those sites live!
By the point of recovery on the 5th, SEOAndy was being attacked by approx 10% of the requests for files, this today (10th Sept) is now 6.6%.
Securing WordPress Against Future Attacks
There are many ways to protect yourself against a Brute Force attack, indeed there are hundreds of WordPress plugins offering some form of protection. However, few – in my experience – actually live up to their billing for websites when they are attacked. Knowing this I looked for another solution to the issue of securing wordpress and maintaining security constantly within the site.
I should point out that I am a believer in dilligence of security, and thus always update plugins and wordpress - Thus these aren’t included below, but if you havent updated plugins etc do please do that first. Also you MUST backup your website before taking any actions below.
My plan of action during the SEOAndy DDOS Aug 2014
I did my research and here is the plan of action I created. Almost every step requires you to be knowledgeable as a developer and in some cases with server admin, its simply the nature of preventing attacks and stopping them.
- Securing All Passwords in the WordPress Database
I reset all username passwords, using MySQL commands, to 64 random characters MD5 hashed. I then emailed all relevant persons letting them know how to reset their password and what rules they should be complying with.
The SQL command for this is:update wp_users set user_pass=MD5(‘new_password’) where user_login=’admin_username’
- Removing the Admin user
From research others had uncovered this type of brute force attack was primarily aimed at the “admin” username – formerly a default within wordpress. Removing this is simple enough to do - create a new administrator user level user (it can be assigned to an existing user) and then from that user delete the user and assign all posts and pages content to a user.
The alternative solution is to change the username for that user using the SQL command:update wp_users set user_login=’newusername’ where user_login=’admin_username’
- One Admin to Rule Them All!
Seriously, demote all but one user from the Admin role. Commonly there are several admin’s for one reason or another, but honestly I’ve not come across a real use case for this. If your user needs extra permissions take a look at a User Access Control plugin, do NOT give them an admin role. This action reduces the potential surface area hugely and can also prevent mistakes by a user breaking a website. - Update the MySQL password for the WP Install
With a new longer secure password (updated on your database and within wp-config.php) means better security. This is simple enough to do for a developer. I would also advise to change the table prefix from wp_ to a random sequence_ - Update WP-Config Security Keys
This is easy enough to do if you have access to the file, no dev needed. Be warned it will reset all cookies on the website and users will need to login again. – You can find new secret keys here. - Don’t Allow File Editing Within WordPress Admin
It’s a lovely tool for quick edits in the admin to your theme or a plugin, but if someone gains access with a brute force attack this is likely to be one of the first places they go to. The fix is simple; just add this into your wp-config file:define(‘DISALLOW_FILE_EDIT’, true);
- Load Static Content from a Content Delivery Network
I will be writing another post on the use of a CDN for content such as images and javascript files such as to both enhance security and increase the performance of a website. A developer can set this up fairly easily, it does cost a little but is worth a lot – I use MaxCDN and love it. - Blocking Attacks Before They Request to the Website
The only way a denial of service attack can be effective is to request to the website it is attacking. If it cannot request and get a response from the website the attack fails. There are a few ways of doing this, there is blacklisting software within most platforms – but this means a request still gets to the server and website. Overloading the server can bring all the sites down, so I wanted to beat the attack before it got to the server. The solution is a WAF and Proxy called CloudProxy by the awesome guys at Securi (known for their website malware scanner). Below explains why I choose CloudProxy and why I think you should also entrust your wordpress website to them.
Web Application Firewall & Proxy for WordPress Security
As a simple explanation, CloudProxy works by taking all traffic directed to your website, filtering it for attack vectors and banned ip’s and then forwarding valid connections to your website. Thus all real traffic can gain access to your website as normal, and those who are attacking or trying to access from a blocked IP they simply get stopped – hence preventing the attack.
Also by default CloudProxy blocks all non-whitelisted IP’s from accessing any resource of WP-admin, thus preventing the majority of attacks in filtering. It’s interesting to note that 49% of requests from point of activiation (5ht sept) to today is blocked through not being on the whitelist.
Threats over the past 24 hours to SEOAndy
The CloudProxy filter also filters out things such as SQL injection attacks, Brute Force attacks, DDOS attacks and much more. It really is a great filter and tool for any website.
Whilst CloudProxy has a special plugin for WordPress it can and does cover any website. The wordpress plugin, comes with the Securi scanner built in (and scans every few hours) and it has a ton of features which you can select to help enhance your security, including file permissions, file permissions etc.
Another great feature, if you don’t already have a CDN for your website, CloudProxy can work as your CDN speeding up your website whilst securing it.
Finally, CloudProxy gives great reporting and logging allowing you to monitor precisely what is going on and when. Also with CloudProxy virtual patching new vulnerabilities are blocked instantly for your website – meaning even if you are behind in updating or there is no update to a plugin you are safe and sound.
Original SEO Content by SEO Andy @ Securing WordPress Against Exploits