Wordpress attacks? Stupid Hackers or Bloggers?

I maange the Military Libraries Division of SLA website and blog (http://military.sla.org/) .  It appears to be under “attack” today as reported via the WordFence plugin I use.  Someone keeps trying to login as administrator about every five to thirty minutes since about midnight last night.  This is not unusual.  What is interesting is to look at the reports I get from WordFence via email.  The hackers keep using usernames including the following:

  • admin
  • root
  • military
  • military.sla.org
  • sla

Are there still WordPress people out there that haven’t deleted or blocked the “admin” username?  Are admin accounts that easy to hack into in WordPress?

Currently the hack attempts seem to be coming mostly from Brazil and China.


What WordPress Site Owners Need to do About the HeartBleed Vulnerability

On Apr 9, 2014 10:02 AM, "Wordfence" <list> wrote:

Dear WordPress Publisher,

If you would like to stop receiving WordPress security alerts and product updates from Wordfence, you can click here. You subscribed to this list via the Wordfence security plugin for WordPress. If you find this alert helpful, please give us a 5 star rating on WordPress.org.

There is serious vulnerability which has been dubbed HeartBleed in the OpenSSL library which is what most sites on the internet use to allow their visitors to connect securely to their websites. On a scale of 1 to 10 when it comes to security vulnerabilities for WordPress site owners, HeartBleed is an 11.

We have mirrored this email on our blog and will be updating it as needed and responding to comments there.

The bug allows remote attackers to read 64k of memory of systems running the newest versions of openssl which do not contain the fix. That means an attacker can read your server’s memory and pluck out usernames, passwords, the secret keys of your SSL/TLS encryption to crack secure communications and other sensitive information.

Apache and Nginx are the most popular web servers on the Internet and they are the largest users of openssl which contains this vulnerability. Together they comprise 66% of market share of all servers on the Net according to Netcraft. These servers are by far the most common used for WordPress sites which is why HeartBleed affects so many WordPress sites.

What to do:

If you don’t run a WordPress site that uses HTTPS (which lets your users connect securely using their web browser) then you don’t have to worry about this.

If you do have HTTPS enabled on your WordPress site, even if you aren’t transmitting sensitive information, you need to respond to this threat immediately. Here is what you need to do about HeartBleed as a WordPress site owner:

If you use a hosting provider, as most WordPress site owners do:

If you use a hosting provider then you usually don’t control your site at the operating system level. So check with your WordPress hosting provider to find out TWO things:

  1. Were they vulnerable to HeartBleed?
  2. Have they fixed it?

If your WordPress hosting provider was vulnerable to HeartBleed then you need to ask them if they have revoked and reissued their SSL/TLS site certificates. The reason they need to do this is because the SSL/TLS private keys for your site may have been read from server memory and compromised. If they haven’t fixed it then they need to fix it urgently because it has been 2 days since the public (and some are saying irresponsible) disclosure of HeartBleed.

If your WordPress hosting provider was vulnerable to HeartBleed, you need to change all admin passwords on your site and you need to email all your users and ask them to change their passwords. The reason for this is because our server memory was temporarily readable by any attacker and they may have read user passwords or other sensitive info from your memory. For example, the popular site ArsTechnica has been hit by this issue and is asking their users to change their credentials.

The larger impact of this vulnerability

While your WordPress site may be affected and may have been targeted, it’s more likely that high profile sites would have been targeted to steal user information and decrypt secure channels. With that in mind it’s important that you change your usernames and passwords on the Net, particularly sites that you have signed into since April 7th when the vulnerability was released.

If you run your own WordPress site at the operating system level:

Here is the official HeartBleed vulnerability announcement on openssl.org.

OpenSSL versions 1.0.1 and 1.0.2-beta releases are affected including 1.0.1f and 1.0.2-beta1. Affected users should upgrade to OpenSSL 1.0.1g. Users unable to immediately upgrade can alternatively recompile OpenSSL with -DOPENSSL_NO_HEARTBEATS.

Are we vulnerable at www.wordfence.com?

No. We are running a version of openssl that is not vulnerable, so thankfully we were not affected by heartbleed.

If you found this alert helpful, please give us a 5 star rating on WordPress.org on the right of the page.

Mark Maunder
Wordfence Creator & Feedjit Inc. CEO.