Brute force attack on WordPress and Joomla powered sites

12 April 2013 | by Chris Merrett

Like many other hosting providers, we've seen signs over the past 48 hours of increased attempts to access and compromise popular CMS and blog web applications such as WordPress and Joomla.

Whilst there is the clear risk of having your CMS compromised, the more immediate threat posed here is that of a denial of service attack, which will render your sites slow and in some cases, completely exhaust the resources available to your services causing a system crash.

Just for clarity, this is not isolated to us at Melbourne - it's a global attack across a wide range of web hosts on the Internet from a number of IP addresses; from a botnet.

There a few things you can do immediately in order to reduce the risk of being affected., but please be aware that these are all intended to be temporary fixes to what would likely be a temporary problem.

Improve your password and check plugins

We strongly recommend updating your web application admin passwords to something very secure, if they're not already. This should apply to any user that has admin access to a WordPress or Joomla installation.

A random string of letters, numbers and symbols is best. Microsoft have some advice on what they consider a secure password.

We'd also recommend installing security plugins and extensions from trusted sources if you have not done so already.

How to lock down WordPress

There are a few ways you can negate the effect of the attack against your WordPress installation, but the most effective (and least disruptive to service) is to limit access to the wp-login.php script that appears to be the focus of the attack.  Adding the following to your CMS root .htaccess file will limit access to the login script to a single IP address:

(ensuring you replace xxx.xxx.xxx.xxx with your own IP address)

<FilesMatch "^wp-login.php$">
Order Deny,Allow
Allow from xxx.xxx.xxx.xxx
Deny from all
</FilesMatch>

 

Alternatively, you can block access to everyone by tweaking that slightly to the following:

<FilesMatch "^wp-login.php$">
Order Deny,Allow
Deny from all

Satisfy All
</FilesMatch>

 

If you prefer, these fixes can be added to your global httpd.conf or apache2.conf in order to block access to these files for all virtual hosts (sites), which is useful for shared hosting providers.

Additional password protection is another option should you be familiar with Apache's htpasswd features.

Another alternative fix would be to simply rename your wp-login.php file to something else, such as wp-loginXXXXXXXX.php, where XXXXXXXX is a randomly selected eight digit number. We'd also recommend making use of the Limit Login Attempts plugin (currently at version 1.7).

How to lock down Joomla

The temporary fix is very similar. Again, these can be added to the .htaccess file or into the httpd.conf or apache2.conf files.

<FilesMatch "^administrator/index.php$">
Order Deny,Allow
Allow from xxx.xxx.xxx.xxx
Deny from all
</FilesMatch>

 

Alternatively, you can block access to everyone by tweaking that slightly to the following:

<FilesMatch "^administrator/index.php$">
Order Deny,Allow
Deny from all

Satisfy All
</FilesMatch>

 

In conclusion...

We're continuing to monitor the attacks as they develop and working proactively with managed customers, where possible. If you have any queries, or require assistance with locking down WordPress or Joomla, please get in touch via the support centre.

Chris Merrett, Senior Linux Sysadmin @ Melbourne

Like what you've read?