A few days ago, our website experienced a global hack attack. When I say global, I really mean global. Our hackers were from, and this is a short list, Egypt, Korea, Ukraine, Russia, Spain, China, and even the good ‘ole US of A, which is a sad commentary in and of itself.
Fortunately, we had implemented security measures to, at best, minimize the attack. First thing was to put the website in Lockdown, meaning, make it harder to get away with the attack. Next, we immediately began blocking the attacker’s IP Address, and there were hundreds. Finally, waited patiently for the storm to subside. All told, the attack lasted for a couple of hours.
Unfortunately, the fun doesn’t end there. This morning, a client website experienced the exact same attack. In this case, however, it has going on over 8 hours as of this writing. Since we created the site, we also implemented the same security as our own site and have successfully staved off the attack. Oh, but what a tedious process to block EVERY offending IP Address, which numbers in the thousands. After the first 3 or 4 hours, we made the decision to lock the website against all countries outside the United States. That way, we just don’t have to worry about manually blocking all the individual addresses. This hasn’t stopped the attack, but it sure did take the wind out of their sails.
I’m sure by now you are wondering about the nature of these attacks. In our case, the attackers are trying to exploit a program that allows WordPress websites to communicate with other programs and/or devices. For instance, some websites have a social media feed like Facebook or Twitter that uploads postings to a web page. Without the special program, they wouldn’t be able to do that. That interface program is named xmlrpc.php. Hackers try to gain access using this program and feeding it generic login information, such as “admin”, “test”, or “administrator”. Since many inexperienced website developers do not change the default values for the sites they create, they can easily be exploited.
Of course there are other ways to hack a WordPress website. The biggest one is to no actively manage and update the WordPress program itself. Many businesses and users either create or pay for a website to be created and then don’t touch it for 1, 2, or even three years. When this happens the website doesn’t receive needed security and programming updates and then becomes very vulnerable to programming exploits and the like. It is these websites that hackers look to exploit and take control. In a few short words, they are looking for the low hanging fruit. Usually, by the time the hack has been discovered, the significant damage has been done, their sites have been posted on “blacklists” and their mail is rejected by SPAM filters.
Have no fear, though. We can still gain control of the website and put an end to the attack. However, sometimes it necessitates the complete erasure of the website to remove all the hidden scripts, backdoors and bots that have been placed, but it can be done. Once control has been gained, and the hackers expelled, then security software can be implemented, passwords changed, core programs updated, and malicious content removed. Once that happens, the healing can begin and you, and your business, can repair your reputation and get back to business of doing business. This time, however, with security in place, active monitor, and regular, complex password changes.
If you believe your website has been hacked, or just need a security review because it’s been awhile, give us a call.