I was checking my syslogs yesterday and I noticed a lot entries that started with the word ALERT and seemed to relate to someone or something trying to force their way in to some of my sites. Entries like:
- ALERT – tried to register forbidden variable
- ALERT – ASCII-NUL chars not allowed within request variables – dropped variable
I also saw a lot of FTP action in there:
Feb 10 05:38:25 web1 pure-ftpd: (?@120.36.50.XX) [INFO] New connection from 120.36.50.XX
Feb 10 05:38:26 web1 symbiosis-check-ftp-password: Non-existent domain “couk” from 120.36.50.XX for ftp service
Feb 10 05:38:26 web1 symbiosis-check-ftp-password: ftp login failure from IP: 120.36.50.XX username: “couk”
Feb 10 05:38:29 web1 pure-ftpd: (?@120.36.50.XX [WARNING] Authentication failed for user [couk]
Feb 10 05:38:29 web1 pure-ftpd: (?@120.36.50.XX) [INFO] Logout.
I run the excellent Wordfence plugin on my sites to help bolster the security of them, I read their blog from time to time and this morning came across their post from yesterday
Large distributed brute force attack underway
It seems that there has been an increase in attacks on WordPress sites over the past day or so, the blog says
Starting at 11am EST this morning we saw a roughly 30 times increase in the volume of brute force attacks across WordPress websites running the WordPress.org software. The attack ramped up so quickly that we initially questioned the data we were seeing and immediately deployed code to verify that the reports we were receiving were accurate and not an attack on our own systems. Within a few seconds it became clear that the attack was in fact real and being reported from across the universe of WordPress websites.
Even though Wordfence does a good job of keeping my sites safe, seeing this has made me go back to check and update my security settings all the usual things that you should do with WordPress
- Strong passwords on all user accounts
- Strong passwords for FTP & SFTP*
- Security housekeeping for user accounts & plugins
Now is as good time as any to check your WordPress security before it is too late. 10 minutes now will save you a world of pain rebuilding sites.
*I’ve removed SFTP access on some sites, I can turn it back on as and when I need it.
RT @mike_rawlins: WordPress installations under attack http://t.co/zYgK52mNhi
RT @mike_rawlins: WordPress installations under attack http://t.co/zYgK52mNhi