Updates on WordPress security, Wordfence and what we're cooking in the lab today.

Wordfence Blog

Brute Force Attacks, Presidential Candidates and Plugin Vulnerabilities

This entry was posted in General Security, Wordfence, WordPress Security on October 27, 2015 by Mark Maunder   43 Replies

Early this week we are tracking an approximate doubling of brute force attacks (login guessing attacks) on WordPress sites. Our attacks per minute increased from 10,000 per minute to around 20,000 per minute on Monday evening. Historically this is far from the highest we’ve seen, but it’s a clear increase and worth mentioning.

Screen Shot 2015-10-26 at 4.40.47 PM

In other news, Jonathan Lampe over at the Infosec Institute ran a few security tests on websites belonging to presidential candidates including Donald Trump, Jeb Bush, Bernie Sanders and many others. The only candidate that scored an A for security is Jim Webb and the reason he scored the A is because he is running Wordfence.

No matter which way you’re voting, it’s always nice to hear that Wordfence is helping secure a former Secretary of the Navy’s campaign website.

WordPress 4.4 Beta 1 was released a few days ago and the production release is slated for December 8th. We will of course alert you when it’s time to upgrade, but for planning purposes make sure you’re around to upgrade your site in early December as it may contain security fixes and these are generally not pre-announced.

There are a handful of plugin vulnerabilities you should be aware of this month:

If you are running any of these plugins, make sure you upgrade to the newest version as soon as possible. In some cases technical details of the vulnerabilities will be released later this month which would make the exploit available to hackers targeting your site if you are still running the older version of a vulnerable plugin.

A big thank you to our community for participating in our WordPress Security Survey. We had over 7,000 responses which is spectacular. Our team is hard at work parsing the results as I write this and we’re already seeing data that we think will benefit the community and help us all better understand the community’s security posture and needs. We will be sharing those results with you in the coming weeks.

That’s all for now. The Wordfence Team wishes you an awesome rest-of-the-week!

Did you enjoy this post? Share it!

43 Comments on "Brute Force Attacks, Presidential Candidates and Plugin Vulnerabilities"

Dan October 27, 2015 at 8:53 am

Thank guys for this news-article. I don't know how I've missed your previous "announcement" regarding Akismet XSS vulnerability I guess I have to pay more attention when I receive your most-welcomed newsletter.
I wish you all an awesome rest-of-the-week too!

mark October 27, 2015 at 9:02 am

Hi Dan. We sent an email last week. It may have slipped through the cracks. Sorry about that.

Jordan October 27, 2015 at 8:55 am

That's real advertising, when you use the brands or the brand names such as Jim Webb to build credibility. I also use Wordfence and I am happy with it. There is still one thing I don't don't how to do it, writing multiple usernames (such as admin, administrator) to automatically block the intruders trying to login with these usernames, for it doesn't stop them trying multiple logins, but I am happy with Wordfence.

mark October 27, 2015 at 9:03 am

Hi Jordan. One of our guys has a Google News alert set up for 'Wordfence' and happened to notice someone else covering this story here https://fcw.com/articles/2015/10/23/briefs-oct-23.aspx?m=1.

Also I'd recommend posting that question on our forums where Matt R. will be happy to help you - he's on there right now helping our other free customers:

https://wordpress.org/support/plugin/wordfence

Teodor October 27, 2015 at 9:01 am

I just gave up to Akismet and got another plugin instead. However, new versions of WP seem to be more secure and, of course, wordfence helps me a lot to keep site safe. Thank you for your article and for all updates!

mark October 27, 2015 at 9:04 am

Akismet is actually pretty good and is produced by Automattic, the guys who make WordPress, so we actually recommend sticking with them. They're a good team and a great plugin. We also think they handled the security situation last week with aplomb.

Fernando Gonzalez October 27, 2015 at 9:07 am

Thank so much for your awesome and very appreciated work with the plugin as well as with your newsletters, Keeping us inform of important security matters.

Mike October 27, 2015 at 9:15 am

For what it's worth, WordFence is a *mandatory* plugin for all of our Wordpress sites. It replaces at least a half-dozen other security plugins and offers features that none of the other plugins have. We wouldn't run a Wordpress site without it, period.

Dr. 'Malik Haruna King October 27, 2015 at 9:25 am

I want to take this time out to thank you specially. The Wordfence plugin is one of the plugins I can NEVER do without! It protects me completely. And I recommend it, highly.

Thanks for serving.

Dr. 'Malik Haruna King, Nigeria.

Pebbles Jacobo October 27, 2015 at 9:29 am

Thank you for the updates and all you do to keep our sites safe. Keep up the great work.

Gary October 27, 2015 at 9:33 am

Your plugin is wonderful. A few months ago I converted one of my websites to a WordPress format, and was unaware of the Brute Force attack issue. I noticed my website was loading slow and checked into a few things and found out it could be because of Brute Force attacks. I installed Wordfence and began to block the ip's of those attacking my website. Took a few days but it stopped completely, and the load time on my website is much improved. I now put Wordfence on all my WordPress websites first thing.

I received an email from you guys to do a survey a couple weeks back but deleted it by mistake, but your plugin is fantastic!!

mark October 27, 2015 at 9:52 am

Thanks for the feedback Gary. No problem about the survey, we managed to get over 7000 respondents which makes it statistically significant and that was our goal. Glad we're helping secure your site!

Dipingo October 27, 2015 at 9:34 am

I have WordFence (free) on my site that I sell a children's book I wrote. I am my own IT department and do everything myself. Last week while I was out of town my email reports from WordFence came in every couple seconds meaning 20 login attempts for each message. It lasted over an hour. You guys were there even when I couldn't be.

Thank you so much for helping us little guys.

mark October 27, 2015 at 9:51 am

Glad we could help!

Steve October 27, 2015 at 9:59 am

Hat's off to your WordFence product and everyone associated with it!

Discovered WF a couple of weeks ago when I found out a couple of my WP sites had been compromised. Used WF to put up secure perimeters and then disinfect those sites. Easy!

Since then, I've seen daily attempts by the bad guys to get back into those sites - and WF stop them in their tracks each time! It's a little unnerving watching all those hack attempts, but I am sleeping much more soundly at night knowing WF is watching my back.

You guys rock - thanks for all you do!

Steve

Wren October 27, 2015 at 10:23 am

Thank you ever so much for the great job you do in protecting my website! You guys are awesome to keep the community informed about potential and present threats.

Rod Collins October 27, 2015 at 10:46 am

Great job guys and great plugin! I hope that in a few more months I can afford to get the premium for a few of my sites, this is the first plugin any webmaster setting a new site should install.

Linda October 27, 2015 at 11:01 am

Even my humble little website has seen a surge in multiple attempts to log in as administrator. Makes me glad I have WordFence!

Spencer October 27, 2015 at 11:03 am

I've been very impressed with your plugin and communication. Definitely feel like our websites are more secure even with the constant hacker onslaught.

Mike Eastwood October 27, 2015 at 11:26 am

It's really frustrating that more than half of the Brute Force attacks, to websites we maintain, come from Amazon Web Services (AWS) Servers (specifically their EC2). e.g.

A user with IP address 54.215.187.155 has been locked out from the signing in or using the password recovery form for the following reason: Used an invalid username 'Webmaster' to try to sign in.
User IP: 54.215.187.155
User hostname: ec2-54-215-187-155.us-west-1.compute.amazonaws.com
User location: San Jose, United States

I have logged these attacks dozens of times, using AWS Abuse Form, only to get an automated email. None of these complaints have ever been taken seriously.

It's extremely disappointing that Amazon provides free servers to people running Brute Force attacks. It would take very little effort for them to monitor Brute Force attacks to the WordPress Login URL.

Thank you to the team at Wordfence, your plugin is the first one we install on all our new builds.

Mike

Brent Norris October 27, 2015 at 1:05 pm

Really nice to see the campaign mention. Imho, serving candidates in a way that informs them for the need for security will help us pass digital security legislation at state and federal levels while also helping to support web professionals working hard to manage wordpress hosting for small business owners.

I agree with Mike regarding the need for a concerted effort to stop brute force attacks at the source. Wordfence helps us manage high-availability WordPress websites with confidence.

Thanks for all you do.

mark October 27, 2015 at 1:14 pm

Thanks Brent! Hope the weather in Hawaii is treating you well, considering it's hurricane season. (Noticed the map on your site) ~Mark

Brent Norris October 27, 2015 at 1:22 pm

Mahalo Mark, it's epic here. Working out of a treehouse in a remote forest.
If I can ever help plan an event in Hawaii for your company or customers, let me know. I'd like to give back to your project.

mark October 27, 2015 at 1:56 pm

Thanks Brent! Mahalo to you too. Will keep that in mind. Our whole team works remotely and we're all based in the USA lower 48. We're always looking for fun places to have in-person catchups. There's actually a hacker/infosec conference in your neighborhood called Shakacon. We were booked for it earlier this year but had to cancel at the last minute - scheduling conflict. Will almost certainly visit next year and if you're interested in infosec I'd recommend you do too! It's in July. Let us know and we'll be sure to say hi.

Jim October 27, 2015 at 1:44 pm

Thanks for the update, and thanks for the protection. One of my sites was and still is the unfortunate recipient of one of those brute force attacks from Saturday morning till now. Thanks to Wordfence the site is still running great and safe.
If it was not for the thousands of emails I would not know anything was even wrong.

Dave October 27, 2015 at 1:49 pm

Great article and I have to agree that the brute force attacks are on the increase, in fact this has been noticeable for the last few weeks, I am seeing mainly bad username attempts on the 43 or so wp installs that I manage and since midnight (it's 20:48 at the time of writing this) I have seen over 1000 such attempts!

But good old Wordfence is doing the job for me.

Thanks Guys

Dave

Rafael Pekson II October 27, 2015 at 2:00 pm

The best sentence of this blog post has got to go to "The only candidate that scored an A for security is Jim Webb and the reason he scored the A is because he is running Wordfence." Actually, a big YAY! for Wordfence. Otherwise, I would have gotten nosebleeds trying to learn web programming just to fight login guessing attacks. #standingwhileclapping

Andrew October 27, 2015 at 2:08 pm

A friend turned me onto Wordfence not too long ago, and now I put it on our Wordpress install.

Thanks for creating something that's free and easy to work with!

Roger Mitchell October 27, 2015 at 2:16 pm

I have to say you guys are the BEST! I know there are many bad people out there and protecting from those bad people is a tough task. Even though I know a hack is remotely possible I feel much more comfortable knowing Wordfence is guarding my site. Thanks soooooooooo much!

Greg October 27, 2015 at 2:22 pm

Thank you for everything.

Dustin - Online Innovation October 27, 2015 at 4:30 pm

great work guys as always, keeping us safe keeping our customer safe and generally just staying on top of it. You guys rock we love your work down in Australia

Mark October 27, 2015 at 6:27 pm

GREAT Plugin Guys...................THANX For The Updates..................It's Always Nice To Know What's Around The Corner

Dante October 27, 2015 at 7:28 pm

Though not a tech-man, I manage 2 of our sites that use WP. Am very happy with Wordfence and its alert system. Increase in invalid log ins using "admin" is always detected and reported.
I do agree with Jordan and wish we may block other attempts using random usernames like: administrator, our first or second names, the site's url without the extension etc.

Great. Keep it up.

Bahi October 27, 2015 at 7:55 pm

Someone is reporting an issue with the very popular Shortcodes Ultimate plugin here:

https://wordpress.org/support/topic/critical-vulnerability?replies=4

Circumstantial evidence at the moment.

Thanks for Wordfence!

mark October 27, 2015 at 9:05 pm

Hi Bahi,

I've had a quick look at the code for the Shortcodes Ultimate plugin. I'm seeing some fairly aggressive sanitization of input values using intval() and sanitize_key() functions. So it looks like the author has at the very least not been careless. I also verified he's correctly checking privileges using current_user_can() in sensitive parts of the code. I can't guarantee that this doesn't have a vulnerability, but nothing is immediately apparent. Let us know if you learn more.

Mark.

Bahi October 28, 2015 at 9:46 am

Thanks so much, Mark – it's good to know he's at least aiming to do the right thing. Will let you know if I hear more.

Apollo October 27, 2015 at 8:45 pm

Hey, I didn't even know too much about this plugin until a client mentioned it, and now we recommend it for everyone to use your plugin.

It helps us provide instant value to our clients, and as a result, I think a few of them may have picked up a premium license too.

Keep up the good work!

Babi kummer October 27, 2015 at 10:59 pm

Thank you for your hard work!

daniyal khan October 27, 2015 at 11:28 pm

Thanks for This Awesome and Simple to use Plugin.. :)

Lars October 28, 2015 at 12:44 am

Thanks for keeping us up to date on the latest issues with Wordpress security.

Jones October 28, 2015 at 4:06 am

Very nice reminder. To avoid such problem, although there are others that we cannot escape from, I have set all the plugin to be updated automatically, whenever a new version is available.
Keep safe
You'll Never Know Without GuidanceTM

Edward Aylward October 28, 2015 at 5:37 am

Last week our site was being absolutely bombarded with Chinese hackers attempting to break into our site to steal information about our magnetic Graphene. We are here to say thank you to the wordfence team. We believe that our website was able to remain impenetrable due to the wordfence paid pluggin. Being Network Administrators with some of the industries highest certifications, we confidently reccomend the wordfence pluggin. It saved us millions of dollars. Thank you wordfence, for your continued, industry leading, cyber security leadership. For us here at Noble 3D Printers, its absolutely priceless.

Kary Dunham November 7, 2015 at 10:46 am

Thank you for these announcements. It is great to know we have a place to turn so we can find constantly updated announcements on the various Wordpress vulnerabilities.
I teach people how to use Wordpress and use WordFence on all my sites, as well as the ones I create for my clients. Whenever someone asks why I choose WordFence, I simply point to your blog. ;)

Follow Us

      


Protect your websites with the #1 WordPress Security Plugin

Get Premium
Over 100 million downloads

Wordfence Newsletter

Get WordPress Security Alerts and Product Updates