Let's plug up #1 way that viruses spread: wp-login.php
-
I’ve looked at the visitors to my websites, and found more malicious visit patterns and spiders/bots than real visitors. Okay, that wasn’t really surprising, but what was surprising was the fact that WordPress appears to be of great interest to bots designed to probe my sites, even though I don’t host a WP blog.
The number one page accessed on my websites is wp-login.php, the main entrypoint to hosted WP blogs.
What can we learn from this? While I don’t have further evidence, my insight is that wp-login.php allows malicious visitors to probe for weak passwords and unprotected pages.
Several times, while examining virus links sent to me by email, I’ve found that the place where the virus resides before coming to my computers is a WP blog page on a small commercial website (one that I recall was an auto parts website in Germany). These insecure and vulnerable pages are owned by small businesses that probably have little or no knowledge of security precautions, such as using long and unguessable passwords.
So, what am I saying?
First, rename wp-login.php by adding a short salt to it. A malicious visitor cannot easily probe into wp-login-e6y7uw.php .
Second, detect really poor passwords automatically and force the user to accept a good password.
These are immediate responses off the top of my head. I’m sure better ideas are easy to create. Let’s all do what we can to prevent the spread of viruses, worms, and data hostage threats.
-
Thanks for the suggestion. Note that Staff automatically review all suggestions made in this Ideas Forum, and then contact those who made the requests at the email address entered here https://wordpress.com/me/account if they choose to implement the suggestion.
-
That is fine. Note that I’ve written a program called wp-login.php to put on my websites that do not run WordPress. This program keeps a record of each caller and replies with a threatening message. I hope it does something about all these malicious users who exploit the security holes in WordPress.
So far, I’ve learned that most of these probers are single-use IP addresses. I have learned that some unscrupulous hosting companies have paid arrangements with regional Internet registry organizations like ARIN and RIPE to obtain as many IP addresse as they like.
While it may seem like the malicious probers are anonymous and cannot be touched, their very connections with these standard IP providers are their weak point. Programs like my wp-login.php could become honeypots to provide antivirus services with lists of malicious IP addresses which could then be traced back and put out of business quickly through their ISP, hosting, or domain name registry dependencies.
Also, perhaps someday WordPress itself might become more responsible in reducing the amount of malware that is distributed through it. There is a lot that WordPress itself could do to put the malware purveyors out of business, or just to block them from posting viruses. All it takes is the will to accomplish greatness.
-
This isn’t an issue here on WordPressdotcom since our sites are regularly updated behind the scenes by support and jetpack is installed here by default, including protection from brute force attacks. Here on WordPressdotcom the main security issue is usually lack of best security practices by the site owner/user and we have an entire FAQ covering that: https://en.support.wordpress.com/security/
When users of the standalone WP software don’t update their WP installs and plugins, that is when it vulnerable to hacks, not WP itself. So if you think this is something of interest to those users, you can suggest it over at the forums for standalone WP at https://wordpress.org/support
-
Okay, I will do that. I find your complacency shocking. As I said already, most of the viruses I have seen (I don’t click on virus links in emails) have been on WordPress sites. Your shifting the blame to your users is shocking and not a little arrogant. I think I’m done with this thread.
-
Hello again, outdated and insecure WP installs and plugins are a part of the problem.
But as I mentioned earlier, this isn’t an issue here on WordPressdotcom where you’ve posted. For reference: https://en.support.wordpress.com/com-vs-org/
-
@nsrusa Part of the reason we offer a service here is so that our users won’t have to worry about security (aside from taking care of their own passwords and 2FA). So these things aren’t really relevant to them as site owners on our servers. They would not be able to rename wp-login, for example, because they aren’t maintaining the software… we are.
Also while we don’t rename wp-login, we do have many other security measures in place.
This information would apply well to self-managed WordPress.org installations, though, so I would encourage you to post there instead. I’ll go ahead and close this thread. Cheers!
- The topic ‘Let's plug up #1 way that viruses spread: wp-login.php’ is closed to new replies.
WordPress.com Forums 