Possible attack on WordPress Via Doss Attack..and other sites..(Maybe)
-
Just got the below email.
I subscribe to a site that tells me if there are sites that may be under attack. This is the e,mail below. I am just letting you know. I don’t know if it is true or not.. I also did this WARNING people to NOT click links!!http://prayingforoneday.wordpress.com/2013/04/11/wordpress-security-attack-beware/
E,mail below. Just in-case, I am letting you know.
Kim here…
Virtually every web hosting company is currently under attack for the second time this week.
Earlier this week, a lot of hosts had some outages due to a DDOS attack. That’s something only the host can handle.
This time however, the attackers are using a Brute Force Login attack and that is making your sites very vulnerable. (I mentioned WordPress but this actually could easily affect any hosted script.)
If you’re not already using a WICKED GOOD password, now is the time to fix that.
And if you still have an account on your blog with the user ID of “admin” now is the time to fix that!
I would advise installing the free, stable, well-trusted plugin called “Login Lockdown” as well. It’s a well known security plugin but I feel it’s highly needed at this moment. Even if you don’t usually bother with security. Install & activate and it works instantly.
(You can safely ignore that this plugin is old. This one is not a risk. There’s simply been no need to update it as it works so well.)
More details. http://blog.hostgator.com/2013/04/11/global-wordpress-brute-force-flood/
As soon as I get this email out to you, I’m going to write a blog post about Login Lockdown. You’ll find it at http://just-ask-kim.com/wp-login-lockdown/ as soon as it’s finished.
In Service To Your Safety
~ Kim ~PS: Got questions? Drop by my Facebook Page wall and jot them there and I’m happy to answer as I can… see you there! https://www.facebook.com/Ask.Kim
Share this:
The blog I need help with is: (visible only to logged in users)
-
I’ve been seeing brute force login attempts on my client’s WordPress sites for over two weeks, so this is old news to me. I’m seeing peaks of 150 per minute on a couple site, mine included. What has changed today is that they are not just going after “admin” usernames, they are seriously mixing things up and I’ve had to change a couple usernames because they were getting dangerously close.
WordPress.com though has seriously good people on the server side of things and they seriously know their stuff. Very little for anyone here to fear.
-
Shaun,
WordPress.com Staff is fully on top pf DDOS attacks. Posting this is not helpful. We do not have FTP access and cannot install plugins and what you posted pertains to WordPress>ORG installs. In that regard you can count on the fact that all Staff and all regular Volunteers and all experienced bloggers already know what you shared and even more besides.What you have done by posting this is promote a WordPress.ORG blog and that means that uninitiated new WordPress.com bloggers will be clicking in there and be misled.
-
Don’t worry, you’re completely safe here. We monitor for these things constantly, and we already limit login attempts.
However, if you’re still concerned, it’s a great time to enable two step authentication: http://en.blog.wordpress.com/2013/04/05/two-step-authentication/ :)
-
-
-
Ok I have trashed it.
I just thought it may be a good idea to let people know, to change passwords. Many have said sites are being attacked. Twitter went down after I got one of these emails last year for an hour or two for many. I thought I was doing the right thing…The blog is deleted.
I am sorry.. -
-
@praying, this isn’t a bad thing you did, and don’t let anyone tell you it was. It is always good for people to be reminded of security issues. I’ve made a whole lot of money off of site that had lax security and ended up getting cracked.
At WordPresss.com, there is far less to worry about in general, but the user’s password is still the weakest link, so if people go in and change them to a very strong password, or go for the two-step login staff-blorbo referenced, it can only make things more secure and in the long run better for all.
-
Yeah its cool :-) Just over helpful (lol)
I should have (With hindsight) Just posted it here.
I am PC Tech and know these idiots can and do get in.In future If I hear of an @n0n or whoever attack, I will post it here.
That cool?Shaun
-
completely safe here
staff-blorbo – not to argue but all things are relative and even an event that has a chance of 10 to the minus 50 chance in a year of happening does from time to time happen –
That said I think the last time WordPress.COM had an issue is when there was a world wide attempt to take down Wiki-Leaks and they shared some server farm resources – things slowed down here and the attack graph went off the top like a rocket – but nothing was lost
The use a good password is always a good idea however – and it is comforting to know that some of the best server side people work at keeping our sites safe
-
We are already far more aware than you are of threats to WordPress.com and to WordPress.org security. You post here frequently and have little to no deep content of any kind on your blog. I think you are best served by creating original content for your blog rather than fretting over this stuff.
-
The whole nine yards is when it comes to security provisions for WordPress.com bloggers is here > http://en.support.wordpress.com/security/
-
not to argue but all things are relative and even an event that has a chance of 10 to the minus 50 chance in a year of happening does from time to time happen
True, I guess what I meant is that we’re always on the lookout for these things and ready to act to the extent of our abilities if/when they do happen.
-
-
If Anonymous decides to attack WordPress.com, I will deal with it. WordPress.com is actually the host of choice for Anonymous, both because of the security and because of the protections for freedom of speech. Every site on the internet is a possible target for a DDoS attack, but the way WP.com is set up is naturally resistant to such attacks.
-
@Sahun
It was aimed at you and I do admit that it was a bit sharp. Having said that, I apologize for not saying the same thing is a warm and fuzzy way. But stand by what I said. I truly think it’s in your best interest to start developing some content that has some depth to it. The reason why I say that is that bloggers who do not uncover their passion and start blogging it are lost by the wayside very quickly. Did you know that the vast majority of all blogs founded to today will be either abandoned or deleted in less than one year? My best advice is to uncover your passion and focus on blogging it so you are still blogging a year from now. -
-
staff-blorbo – I know that WordPress.COM never sleeps and the security and reliability are always alert and doing a great job – for you the stakes are too high to do anything less than the best job possible – but the word “completely” was just to big of a softball over the plate to resist
the reliability and the tech service was one of the big reasons I moved my site here – much less for me to worry about
Keep up the good work!!
-
TimeThief I never get insulted nor angry, I love this place. And if I can be honest for a second. ANY TIME I have posted here, it has been a Question about Word Press as I am no expert on Word Press.
Telling me to
“You post here frequently and have little to no deep content of any kind on your blog. I think you are best served by creating original content for your blog rather than fretting over this stuff”
Was both very rude and utterly out of order. I have always came here, asked a question, been nice, tried to ask simple questions about things I was stuck with..
Is this how Word Press treat all people who would rather ask a question that make a mistake and break their blog?
You say I have nothing on my blog? I have 30+ awards.. I am Disabled, I care, and I would NEVER be as rude as you.. I am sorry, but I, unlike you I do say things in a “Warm Fuzzy Way”, as being nasty and having a go at a disabled person’s blog is a bit out of order.I have thanked you MANY TIMES in the past for your help. This is support, it’s job is to help. I used and paid for the Pro account for a year while blogging sport and was thinking of paying to go pro wit this Blog. But as a disabled person, to be told my blog has no “deep content of any kind” I will think twice..
I won’t bother Word Press Support again, and I am sorry for coming here TimeThief and ruining your time with my Questions. If you are part of Support, then you are poor at it. If you are not part of Support, then I suggest you don’t comment on things, as that was just utterly, utterly degrading !!!
Kindest Regards and sincere apologies for wasting your time
I won’t come here and annoy you again with my poor blogging.
Shaun
- The topic ‘Possible attack on WordPress Via Doss Attack..and other sites..(Maybe)’ is closed to new replies.
WordPress.com Forums 