Hacking and access woes

Some folk might be having problems trying to login to the site.  I don’t know much about this, but here’s what I do know:

  • When I tried to login today, I received a response “WordPress administrator area access disabled temporarily due to widespread brute force attacks.”  As far as I know, you can neither login nor logout.  However, your current login will still expire (as did mine).
  • Here’s a report that is probably related: Brute Force Attacks Build WordPress Botnet.

In case you are wondering how I managed to post this – I was actually logged in with two different browsers.  My login with “firefox” (my preferred browser) has expired.  My login with “rekonq” has not yet expired.  I think it has another week to go.  So I am posting this from “rekonq”.

18 thoughts on “Hacking and access woes

  1. I received a message about this, using the reply form at my own blog:

    Comment: It looks as if TSZ (and maybe this blog) needs two-factor authentication for admins.

    That was from a member here, who is probably locked out at the moment.

    As for my own blog (the “maybe this blog” reference), that’s actually on the wordpress site itself. If hackers are attacking that, they are probably looking for access to wordpress administration, rather than the admin of individual blogs there.

    What I have gathered about the hacking attack, it is an attempt to gain access as user “admin” at sites using the wordpress software. The attack apparently brute-force tries a large number of commonly used password.

    From what I gather, if the admin account is not “admin”, and if there is a strong password (long enough and random enough), then that blog is pretty safe from the attack, though the attempts might put a load on it.

    In the case of this blog (TSZ), I presume that Lizzie is leasing space on a server, and the server has provided the basic software. It appears that the server staff have taken pre-emptive action to block possible access to the admin account (by blocking logins to all accounts).

  2. Yes that is the case. The webhost has blocked access to admins – I’m not sure whether non-admins are also blocked. They have a workaround – I’ll email you.

  3. I can’t log in using Opera; the box for the username lies right on top of the last line of instructions, so I can’t provide the correct password.

  4. I’m using Opera and it looks like I can get in now, although I couldn’t before. Should we change user names and passwords?

  5. Changing passwords to something hard to guess is a good idea, but I think the biggest problem is with admin passwords.

    The brute force attack is trying to hack the admin accounts, so those are the ones that webhostingpad has locked down.

    Fortunately none of our admins are called “admin”.

  6. I’m still having the problem with the balloon in Opera, but somehow I clicked on a username and was told I had to log in to see a profile, and got a normal login box.

    The solution for admins is two-factor authentication. http://bit.ly/12j9lV3.

  7. From Webhostingpad

    UPDATE: (April 15 2013) To help make things easier on you we are implementing a server-wide update today that will allow you to access your WordPress administrative page much more quickly. When you visit your wp-admin page a window will pop up requiring your authentication to view this page. This popup window will ask you to fill out a username that is provided in the window itself, as well as to solve a simple math problem (ex: 10+5) to ensure you are a human and not a part of the botnet. This means that you won’t have to go through the trouble of editing your .htaccess file as outlined below. If you did take the steps below to add the allow rules to your .htaccess file you can remove them as this update will adequately protect the servers from the attack attempts.

    Let me know if there are continuing problems.

  8. Lizzie,

    No problems, but an oddity in that in attempting to log out, I was required to do the password+math thingie.

    Logout was successful

    Logging back in again was just as it used to be – just my TSZ username + password, no arithmetic.

    Still and all, so long as I can get into TSZ, I’m one happy bunny

  9. Same problem in Opera. But if I click on a user’s name beside a post I get a login screen that does not include the CAPTCHA. You might want to let them know; I bet that an admin could log in by that route as well.

  10. This morning for the first time I got the captcha-log in. I don’t know why that came up; I know I’ve logged in and commented in the last week or so and this is the first I’ve seen it.
    Well, I almost failed to prove I was human, or at least to prove I was smart enough to read the directions on screen. Gack.

Leave a Reply