Web Hosting Blog

Important information for WordPress users

12/04/2013

Posted in: Heart Internet

Update 23/04/2013: We have now introduced a page with a captcha to help address the ongoing attempts by the botnet to access WordPress and Joomla websites. When you go to your admin/ login page you will be asked to enter the captcha to continue. We feel this is a more elegant, user friendly and secure approach. The page looks like this…

Website security captcha

Web hosts across the world are currently experiencing a huge DDoS attack that is specifically targeting WordPress installations on shared hosting platforms.

A number of other web hosts have started removing access to wp-login; however we don’t want to do this as it mean you can’t access your website’s WordPress control panel. We are going to add an extra layer of security to help fend off this attack and still give you access to your control panel.

Whilst this attack is on-going, you may find that when trying to login to your WordPress Admin you are prompted for a username and password not previously required (in addition to your usual login details). The credentials for this login are:

Username: protected

Password: wordpress

This automated attack is affecting WordPress websites globally and is not targeted at a particular web host, which is why we’re happy to make the login details above public.

As soon as normal service is resumed, this prompt will be removed and the above credentials will no longer be required. We appreciate your patience during this time, and will update www.webhostingstatus.com once this has been resolved.

Was this article useful? Let others know

(10/10 based on 1 review)

Comments

Please remember that all comments are moderated and any links you paste in your comment will remain as plain text. If your comment looks like spam it will be deleted. We're looking forward to answering your questions and hearing your comments and opinions!

{author}

 

  • Andrew
      12 April 2013 at 12:16

    Thanks for the headsup

    Andrew  
  • gavjof
      12 April 2013 at 12:40

    Thanks. If you’re following things on Twitter you may find CloudFlares’ post of interest:

    http://blog.cloudflare.com/patching-the-internet-fixing-the-wordpress-br

    gavjof  
  • Buzz Killington
      12 April 2013 at 12:46

    You’re posting this on a publicly accessible blog. You guys are idiots.

    Buzz Killington  
  •   12 April 2013 at 12:53

    No we’re not, and we don’t appreciate being called that either.

    This is an extra layer of security before the normal WP login interface. It is not a replacement. The attack is automated and is not specific to us. The person(s) undertaking this attackwill not be aware of this password.

    Matthew  
  • Steven Chamberlain
      12 April 2013 at 12:54

    Hi Matthew;I’m seeing this same attack against ~1200 WP sites I manage hosting for.I count around 50,000 bots participating in the attack, globally distributed but particularly from Brazil / South America.They are using a randomised User-Agent of popular browsers.I’m still trying to figure out how to mitigate this myself….

    Steven Chamberlain  
  • Heidi
      12 April 2013 at 12:55

    Thanks HI, your support staff were very helpful when I got in touch for an explanation about the issue. Excellent support service as always.

    Heidi  
  •   12 April 2013 at 13:11

    Hi Heidi,

    Thats great, thanks for that.

    Cheers

    Matt

    Matthew  
  • Admin
      12 April 2013 at 13:51

    Hire an administrator… a real one who knows iptables a bit and knows what do to with that and how to use it against a DDoS… your solution is very lame.

    Admin  
  •   12 April 2013 at 14:49

    Our system administrators provided this response:

    “That would involve checking a packet against 65,000 individual rules before it’s allowed through - bit of a burden to the server doing the checking (not to mention the poor bugger who has to enter 65,000 rules). As hackers change their IP address, that would mean creating 65000 *different* rules, not to mention blocking genuine visitors.”

    Hope that provides a bit of clarity :D

    Jenni

    Jenni  
  • Pete
      12 April 2013 at 15:22

    I can’t tell you how annoying it is to find out about this from a worried client phone call rather than from yourselves. Why on earth don’t you notify your reseller customers by email? The whole point of having a reseller account is that, from the point of view of my clients, the service is being provided by me. So I look pretty stupid when I get a phone call asking me what’s going on and I haven’t a clue. This is not the first time services have been blocked without any proactive notification from yourselves.

    I understand that in the complex world of web hosting things like this will happen and you’ll need to take swift action. All I’m asking for is an email from yourselves which contains a brief overview of the situation. You’ve blogged after all so it’s not really any additional effort on your part and it would make me and your other reseller customers feel like you actually value our business and money.

    Pete  
  • G
      12 April 2013 at 15:24

    I am disappointed with the two negative comments you have received so far.

    First and foremost “Buzz”, name calling like that is pathetic and childish. You should not insult people that you don’t know. I suggest you learn how to be civil!

    Secondly “Admin”, if you think you can come up with a better solution to what they have proposed, why don’t you help them out?!

    If you guys want to query Heart Internet’s work, why don’t you do it in a normal manner.

    “Heart Internet” thanks for the heads up on this, I do think you need to inform your clients directly such as an email regarding this change you are implementing as some people might get confused.

    I’d be interested to find out how you implemented your solution. Are you able to share that information?

    Many thanks,

    G.

    G  
  • Matt
      13 April 2013 at 6:46

    Anything to help protect our sites from these stupid attacks (without disabling access) is much appreciated and as always I find you very helpful and responsive.

    As mentioned above CloudFlare are providing an option and available under there free package, but this is hassle and slightly technical which will put off many users. However there are some great plugins that help with security, one of which: WP Better Security (http://wordpress.org/extend/plugins/better-wp-security/) - no affiliation - offers basic hardening of your WP site and prompts the user so not even the most technical can do basic hardening, to help reduce certain attacks, including renaming your account name if admin etc…

    As these attacks are currently bruteforce on admin logins (for accounts named ‘admin’), would it be possible for your custom install scripts force users not to use certain ‘common’ administrator usernames? as some systems/scripts offer. I know this wouldn’t stop all forms of attack but definitely would help in this instance.

    Keep up the good work.

    Matt  
  • Gary Hughes
      13 April 2013 at 8:25

    Thanks for acting fast on behalf of your costumers and for making it clear in as many places as possible what’s going on. This is a good temporary solution that’s secure enough (bots aren’t going to read blog posts and I doubt Wordpress installs hosted on Heartinternet make up a significant enough percentage for the bots to adapt) without locking users out of their sites.

    Gary Hughes  
  • Nutt
      13 April 2013 at 8:32

    Hi guys,

    Thanks for keeping on top of things. It would however have been useful if you had sent this info/warning out in an email to us as first i knew was a user calling me halfway through the night, saying their password was not working lol.

    I was also suspicious the site had been hacked as your little pop up didnt mention heartinternet just some random site. would have been better to have the page under heartinternet.co.uk domain

    Anyway keep up the good work.

    Nutt  
  • Jonathan
      14 April 2013 at 22:53

    Thanks for information.Is that Cludfalfre setup anything worthwhile using.One could of course use a Worpdress plugin alled Limit Login Attempts to do eth same think.Just wiondering what thoughts anyone had on Cludflarfe.

    Also wonder why mindless idiots have to spend so much time pratting about at other people’s expense…!

    Jonathan  
  • Jonathan
      14 April 2013 at 22:54

    And why I can’t spellcheck my comments before submitting…. that was supposed to be Cloudflare..!!!!

    Jonathan  
  • Kas
      15 April 2013 at 8:10

    i’m not that technical and therefore easily made paranoid, but if the URL which come up in the redirect message were this page it would have saved me a anumber of minutes of panicking!

    I assumed that because it was a completely unfamiliar, generic domain (webhostingstatus.com)i was being sent to, my site had been hacked in some way - if i’d been directed to heartinternet i’d have felt much more confident that it was a genuine security measure from you guys!

    Kas  
  •   15 April 2013 at 8:15

    Hi Kas,

    We did that to protect our resellers - we don’t have the ‘Heart Internet’ name anywhere on anything that their customers might see :) Thanks for the suggestion though!

    Jenni

    Jenni  
  •   15 April 2013 at 8:16

    Thanks Nutt, we didn’t mention Heart Internet in the pop up to protect Resellers - can understand your concern though. All’s well that ends well!

    Jenni

    Jenni  
  •   15 April 2013 at 8:18

    Hi Gabi,

    We’re a bit cautious about sharing the details for security reasons, but it might be something we could revisit in a slightly different way at some point.

    Jenni

    Jenni  
  • Tom Fox
      15 April 2013 at 10:09

    thanks for being on it guys…

    Tom Fox  
  • Chris
      15 April 2013 at 10:55

    Well done for taking preventative measures, but you should have sent an email out to your customers about this. Relying on social media and posting on your blog is not enough in this instance.

    A simple email explaining the issue along with your solution could have saved me the major headache of all of my clients asking why their passwords were not working anymore, with me having to rummage around twitter and your blog and check the authentication message (which doesn’t appear on iOS by the way).

    Chris  
  • Tom Fox
      15 April 2013 at 13:42

    Would be nice to have a nicely researched blogpost on wordpress security in general. Maybe this has been done already…

    Tom Fox  
  • David Hardstaff
      15 April 2013 at 14:38

    Nice one - I appreciate you taking the effort to protect our sites. It confused me for a moment or two when it first came up, and refused to accept my normal logins, but it didn’t take long to google the message and arrive straight at this blog post.

    Thanks for being proactive!

    David Hardstaff  
  •   15 April 2013 at 15:15

    Hi Tom,

    WordPress’s codex is a great resource for this, especially this section: http://codex.wordpress.org/Hardening_WordPress

    You may also be interested in the following blog posts:

    http://www.heartinternet.co.uk/blog/article/5-must-have-wordpress-security-plugins/

    http://www.heartinternet.co.uk/blog/article/13-critical-tips-for-password-security/

    http://www.heartinternet.co.uk/blog/article/10-must-read-tips-for-optimal-website-security/

    http://www.heartinternet.co.uk/blog/article/vps-and-dedicated-server-security/

    Jenni  
  •   15 April 2013 at 15:23

    @ Chris and @ Pete I appreciate that being told by your customers must have been frustrating and I’m sorry that you feel we didn’t go about communicating the issue to our customers correctly. It’s something we’ll learn from and take forward in the event of us having to perform an action like this again.

    Matthew  
  • Genieforge
      15 April 2013 at 21:03

    I heard the DDos is using the username admin in its attacks. Does it make sense to advise clients to change their admin username?

    Genieforge  
  • Genieforge
      15 April 2013 at 21:05

    BTW, thanks for the speedy automatic extra layer of security, we really appreciate it.

    Genieforge  
  •   16 April 2013 at 8:08

    It’s a good idea to change the admin username, yep.

    Jenni

    Jenni  
  •   16 April 2013 at 8:08

    Our pleasure, we’ve had a lot of good feedback from people and it’s great to see.

    Jenni

    Jenni  
  • Matt
      16 April 2013 at 9:42

    Hi,

    Thanks for this. My only criticismis that I had to google this. There was no way of knowing that the prompt during logging in was by heart internet. I thought the site had been hacked.

    Thanks,

    Matt  
  • Sam
      17 April 2013 at 13:13

    Great work and a better solution to blocking admin access. Only problem I have is on WordPress e-commerce site’s that require signup/login from the visitor as they will also see this pop up - which unfortunately leads to them leaving the site.

    Sam  
  •   18 April 2013 at 8:27

    HI Sam,

    Thanks, this whole situation has been a real balancing act.

    Matt

    Matthew  
  • Greig
      18 April 2013 at 8:30

    Hi Guys,

    Thanks for the security update.

    But ever since you have up’ed your security I cant get any worpdress contact form plugins to work. Ive tried 3 so far, contact form7 (which was working fine), contact form and secure fast contact form. My client is going nuts.

    Any one else having this problem?

    Greig  
  • robf
      18 April 2013 at 14:17

    Yes, well done for an effective *temporary* solution, but I would agree that direct email notification to resellers of the problem would have saved a lot of time and confusion of clients, and would hope to see Heart implement this in future. As a reseller, its very annoying to hear of these problems from clients rather than direct from Heart Internet.

    I do hope the additional username/password requirement will be lifted very soon, as it continues to interfere with user logins (not just admin) on any Wordpress site used by more than one person, and for this reason definitely isn’t a long term solution to the problem.

    I’ve also made suggestions via Heart’s feedback page of

    1) providing optional integration with Cloudflare’s service (as several other web hosts already do) - this isn’t possible at present as hosting packages are tied to heart nameservers.

    2) providing an RSS feed from webhostingstatus.com so that notification of any issues is immediate.

    Thanks,

    robf

    robf  
  •   19 April 2013 at 10:17

    Hi Greig,

    We haven’t heard of anyone else with this issue. The extra login has been removed now. If you are still having problems I’d recommend contacting support.

    Cheers

    Matt

    Matthew  
  •   19 April 2013 at 10:20

    Hi Rob,

    The extra login has been removed now. In the future, if there is a similar attack,we are going to redirect traffic to a page that confirms the user is human via a captcha. This page will be brand free.

    Cheers

    Matt

    Matthew  
  • robf
      19 April 2013 at 12:39

    Thanks, Matt, that sounds preferable.

    Are email notification of similar attacks, integration with Cloudflare, and RSS feed for webhostingstatus.com being considered?

    robf  
  •   22 April 2013 at 13:11

    Hi Rob,

    These ideas have been passed on to the relevant teams to discuss.

    Cheers,

    Rob

    Robert Mathers  
  • Euan Brunton
      23 April 2013 at 11:09

    I didn’t think it was possible to change the username in WP once it had been set? Can anyone shed some light on this please?

    Euan Brunton  
  •   23 April 2013 at 13:16

    Hi Euan,

    The botnet is looking for WordPress and Joomla users who are using “admin” as their username. It isn’t looking to change the username, it is trying different password variations to get in that way.

    Cheers,

    Matt

    Matthew  
  • robf
      23 April 2013 at 13:21

    Hi Euan, with WP to change username from admin, login as admin, create a new username with admin privileges, then delete username “admin”

    Cheers,

    Rob

    robf  
  • robf
      23 April 2013 at 13:25

    Thanks for feedback re email notification, cloudflare and RSS.

    Re Captcha, thanks for continuing to be proactive in blocking attacks, but please consider using easier to read and less complex captcha - I just had to refresh captcha seven times (!) before finding one I could read, and feedback from users and clients on some of my other wordpress sites hosted with Heart is already that other legitimate users are having similar difficulty!

    Thanks,

    Rob

    robf  
  • Steve Cooke
      23 April 2013 at 17:20

    I think what Euan is referring to Matthew is the advice that’s been given earlier in the comments that “it’s a good idea to change the admin username”. As this screenshot demonstrates, the WordPress dashboard doesn’t allow this:

    http://i.imgur.com/sTUMxWM.png

    I think the most straight forward way to get around this limitation is to create a new admin user with the new username as required then log into that new administrator account and simply delete the old one.

    Hope that helps!

    Steve Cooke  
  •   24 April 2013 at 8:55

    Hi Rob,

    That’s not something that we have noticed ourselves, it may just be the luck of the draw, but we’ll keep an eye on it.

    Cheers,

    Rob

    Robert Mathers  
  • Chris
      16 May 2013 at 9:28

    Hi, Matthew when you added a confusing login last time I commented saying you gave no prior warning and AGAIN - no prior warning is given when you have changed it.

    You answered with the following:

    “@ Chris and @ Pete I appreciate that being told by your customers must have been frustrating and I’m sorry that you feel we didn’t go about communicating the issue to our customers correctly. It’s something we’ll learn from and take forward in the event of us having to perform an action like this again.”

    So I ask you why didn’t you email your customers, especially your resellers?

    I’m now faced with my customers contacting me to ask if I can remove the CAPTCHA screen as they cannot read it properly and why did I add it without consenting them first.

    Finally, your update says 23/04/2013 - The CAPTCHA didn’t appear for me or my customers until this morning?

    Chris  
  •   16 May 2013 at 11:01

    Hi Chris,

    The threat is an ongoing issue, it hasn’t gone away. The CAPTCHA is added to websites using WordPress on servers that are being targeted. This is nota new issue, and we don’t need to have a blanket on/ off for all servers, we can protect specific servers with out having to affect everyone else.

    We are the most proactive web host out there to protect our clients’ websites, this is preventing WordPress user’s websites being hacked.

    Cheers

    Matt

    Matthew  
  • teresa
      16 May 2013 at 21:23

    Did you remove some access’ to wp-logins? i used to get the captcha screen but now it suddenly seems like the wp admin panel access got removed?

    teresa  
  •   17 May 2013 at 9:09

    Hi Teresa,

    We haven’t taken any action that would cause this, if you could contact our support team they’ll be able to investigate further for you.

    Cheers,

    Rob

    Robert Mathers  
  • D Jones
      12 July 2013 at 7:48

    We’ve run into an issue with this. If you choose to password protect a specific page in your site, this uses wp-login, so it is throwing up the additional Heart Internet captcha in the middle of the process. Once you enter this captcha, the original password protected page then fails to load - the Heart Internet process interrupts normal working of the password protection.

    Any way round this?

    D Jones  
  •   12 July 2013 at 10:26

    Hi,

    Thanks for your comment. Please raise a support ticket with the details and our team will investigate this for you.

    Cheers,

    Rob

    Robert Mathers  

  {author}

 

  Live chat