security Google Banning Thousands of WordPress Sites due to Malware Attacks

[News]

Over 70 Million websites use WordPress as a content management system. While the software is extremely popular and powerful, the abundance of 3rd-party plugins creates multiple opportunities for hackers. Internet Assure works to shore up the defenses for WordPress sites and provide a plan for backup and recovery for when issues ultimately arise.

According to a December 16th article by ZDNET, at least 100,000 self-hosted WordPress websites have been potentially compromised by malware over the past couple of weeks due to a plugin that many developers may not even realize is installed. Internet Assure is working to help website owners not only recover but to implement a system that speeds up services and helps prevent and recover from future attacks.

Another recent report on ZDNet says that that since May this year, critical WordPress plugin vulnerabilities have effected four popular plugins that have nearly 20 million downloads.

Full Article: http://www.tntnames.com/blog/google...rdpress-sites-due-to-new-malware-attacks.html

 

[briguy]

Read the article and it mentioned 4 popular WordPress plugins..wonder what they are?

 

[JB Lions]

Read the article and it mentioned 4 popular WordPress plugins..wonder what they are?

A couple are Slider Revolution and Showbiz Pro. I had Revolution Slider come with a theme and got notice few weeks ago from my host.

 

[onebrand.co]

Wordpress vulnerability on outdated versions are getting out of hand. It is both good (and bad) that Google is finally taking action. Can't wait to see the ripple effects it has on those innocent sites that are wrongfully banned or penalized

 

[iowadawg]

Has yet to hit my blog.
Google is always nice to me.

 

[RogueWriter]

Malware ripped through a couple of my hosting accounts, really effed me up about 3 weeks before Xmas. I am being a lot more careful about any of my wordpress sites, now. No extraneous plugins or themes, everything is updated daily, security is installed properly, etc.

I am also considering some other website design software options, since a lot of the malware jerks seem to look for wordpress sites to maul.

 

[enlytend]

The bigger the product, the bigger the target. Wordpress is a target because it is so popular. Same reason Windows has always been a major target. To their credit, they patch quickly when something is found. Wordpress hacks are low-knowledge low-skill attacks - attackers have their botnet run a script they got somewhere.

Update promptly, don't take defaults in your configuration ( don't ever use "admin" for your admin user!!), install and use one of the WP security plugins (most of them do some type of IDS and can alert if a core WP file is changed), hide/rename wp-login, limit login attempts, set strong passwords...

I hate sliders to begin with (they're evil from a conversion standpoint), so that specific threat missed me. I also don't use dodgy random themes.

Once you get the malware off your site Google should reinstate. As long as it doesn't happen so often that you get a "history,"

 

[JB Lions]

So what are people using? I've seen these posted here:

Simple Firewall

Wordfence plugin

Sucuri

 

[iowadawg]

Here is one that I am looking at real close:
http://www.netbuilders.org/scripts/otaku-cms-31948.html

His site is here:
http://otakucms.com/

No database, easier than wordpress, and much more.

 

[mhdoc]

I didn't realize the size of the problem until I put my main WordPress site on a VPS. I elected to get an email from my hosting company whenever there is a failed login attempt (after five trys). There have been 19 in the 12 hours since midnight.

They come from every country in the world and have really picked up in the last few days. I don't know if they all got a hacking software update in their Christmas stocking or if they have more time to play over the holidays.

 

[iowadawg]

I use .htaccess so that only my IP can login.

 

[enlytend]

I didn't realize the size of the problem until I put my main WordPress site on a VPS. I elected to get an email from my hosting company whenever there is a failed login attempt (after five trys). There have been 19 in the 12 hours since midnight.

Not unusual. Those are botnets running scripted brute force attempts. Watch those for a few days and you'll see why you should never use default user names.

I use .htaccess so that only my IP can login.

Which is great if you have a static ip (and don't have other users) If you don't you can try to limit to your ISPs ip range.

 

[iowadawg]

Have static ip and no other users.
Plus hosting company has protection for bots, etc.

 

[enlytend]

Plus hosting company has protection for bots, etc.

Well yes, they all do to some extent. Sony thought their security was pretty bulletproof too - just sayin' .

(The worst security threats are internal - employees or other customers. Scripted attacks just go for the "low hanging fruit".. unfortunately there's enough of that to keep them in business.)

A vulnerability like the one we're talking about in the revolution slider doesn't require bots or the ability to log in - a normal user could do it. It involved a very serious oversight that allowed them to grab and exploit the wp-config file directly - this is known as a "Local File Inclusion" attack. They gained access and planted the malware through the browser.

The suggestions I gave wouldn't have stopped this either - possibly something monitoring the database would have caught it, if it was designed to tell the difference between the attack and normal activity. While its easy to monitor files that make up a CMS, it you can't indiscriminately flag database changes without annoying your customers with a slew of false positives.

 

[carob]

So what are people using? I've seen these posted here]

Wordfence plugin

i

I believe that is done by WP themselves, ie Automattic.

If you look at stats you see repeated hits on the login page - one seems to try about 1250 attempts each time.

Also do not have the login names correspond to visible names on the site - saw a site get hacked that way, and temporarily flagged as unsafe to visit by Google - the owner had their own name in their domain, used as a login with a weak password. Why does WP insist on posting author names and profile pages? I block all public references to those, as well as access to the login page.

Why WP does not limit login attempts I do not know - Drupal stops you at 5.

 

[enlytend]

You can install plugins to limit login attempts. ...

 

[iowadawg]

SONY was internal hacking.
Just saying.