Hacking and access woes

Some folk might be having problems trying to login to the site.  I don’t know much about this, but here’s what I do know:

  • When I tried to login today, I received a response “WordPress administrator area access disabled temporarily due to widespread brute force attacks.”  As far as I know, you can neither login nor logout.  However, your current login will still expire (as did mine).
  • Here’s a report that is probably related: Brute Force Attacks Build WordPress Botnet.

In case you are wondering how I managed to post this – I was actually logged in with two different browsers.  My login with “firefox” (my preferred browser) has expired.  My login with “rekonq” has not yet expired.  I think it has another week to go.  So I am posting this from “rekonq”.

18 Replies to “Hacking and access woes”

  1. petrushka
    Ignored
    says:

    I have noticed a lot of performance issues recently, and few posts the last 48 hours.

  2. Lizzie
    Ignored
    says:

    Sorry, I’ve been a way for a couple of days. I’ve contacted webhostingpad to see what is going on.

  3. Neil Rickert
    Ignored
    says:

    I received a message about this, using the reply form at my own blog:

    Comment: It looks as if TSZ (and maybe this blog) needs two-factor authentication for admins.

    That was from a member here, who is probably locked out at the moment.

    As for my own blog (the “maybe this blog” reference), that’s actually on the wordpress site itself. If hackers are attacking that, they are probably looking for access to wordpress administration, rather than the admin of individual blogs there.

    What I have gathered about the hacking attack, it is an attempt to gain access as user “admin” at sites using the wordpress software. The attack apparently brute-force tries a large number of commonly used password.

    From what I gather, if the admin account is not “admin”, and if there is a strong password (long enough and random enough), then that blog is pretty safe from the attack, though the attempts might put a load on it.

    In the case of this blog (TSZ), I presume that Lizzie is leasing space on a server, and the server has provided the basic software. It appears that the server staff have taken pre-emptive action to block possible access to the admin account (by blocking logins to all accounts).

  4. Lizzie
    Ignored
    says:

    Yes that is the case. The webhost has blocked access to admins – I’m not sure whether non-admins are also blocked. They have a workaround – I’ll email you.

  5. Alan Fox Alan Fox
    Ignored
    says:

    Hello World!

  6. JonF
    Ignored
    says:

    I can’t log in using Opera; the box for the username lies right on top of the last line of instructions, so I can’t provide the correct password.

  7. Lizzie
    Ignored
    says:

    That’s annoying. hmm.

  8. Seversky
    Ignored
    says:

    I’m using Opera and it looks like I can get in now, although I couldn’t before. Should we change user names and passwords?

  9. Lizzie
    Ignored
    says:

    Changing passwords to something hard to guess is a good idea, but I think the biggest problem is with admin passwords.

    The brute force attack is trying to hack the admin accounts, so those are the ones that webhostingpad has locked down.

    Fortunately none of our admins are called “admin”.

  10. JonF
    Ignored
    says:

    I’m still having the problem with the balloon in Opera, but somehow I clicked on a username and was told I had to log in to see a profile, and got a normal login box.

    The solution for admins is two-factor authentication. http://bit.ly/12j9lV3.

  11. Lizzie
    Ignored
    says:

    webhostingpad seem to have installed an extra captcha for admins.

    Anyone else seeing that?

  12. Neil Rickert
    Ignored
    says:

    I am assuming that everyone sees that. The system doesn’t know that you are an admin until you are logged in.

  13. damitall2
    Ignored
    says:

    I see it too, although I am but lowly.

  14. Lizzie
    Ignored
    says:

    From Webhostingpad

    UPDATE: (April 15 2013) To help make things easier on you we are implementing a server-wide update today that will allow you to access your WordPress administrative page much more quickly. When you visit your wp-admin page a window will pop up requiring your authentication to view this page. This popup window will ask you to fill out a username that is provided in the window itself, as well as to solve a simple math problem (ex: 10+5) to ensure you are a human and not a part of the botnet. This means that you won’t have to go through the trouble of editing your .htaccess file as outlined below. If you did take the steps below to add the allow rules to your .htaccess file you can remove them as this update will adequately protect the servers from the attack attempts.

    Let me know if there are continuing problems.

  15. Lizzie
    Ignored
    says:

    Ah, of course. I saw it when I was logging off, so I thought it might be an admin thing.

    OK.

  16. damitall2
    Ignored
    says:

    Lizzie,

    No problems, but an oddity in that in attempting to log out, I was required to do the password+math thingie.

    Logout was successful

    Logging back in again was just as it used to be – just my TSZ username + password, no arithmetic.

    Still and all, so long as I can get into TSZ, I’m one happy bunny

  17. JonF
    Ignored
    says:

    Same problem in Opera. But if I click on a user’s name beside a post I get a login screen that does not include the CAPTCHA. You might want to let them know; I bet that an admin could log in by that route as well.

  18. hotshoe
    Ignored
    says:

    This morning for the first time I got the captcha-log in. I don’t know why that came up; I know I’ve logged in and commented in the last week or so and this is the first I’ve seen it.
    Well, I almost failed to prove I was human, or at least to prove I was smart enough to read the directions on screen. Gack.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.