We have had a number of people contact us about having issues gaining access to the login page in WordPress recently and we wanted to pass along information that affected websites should be getting told by their web hosts as well by now. There has recently massive attempt to brute force the login for WordPress based websites. Hostgator describes it as being a highly-distributed and global attack. While hackers have been attempting to gain access to website, whether using WordPress or a variety of other software, that use weak passwords for years, the big issue here is that the massive size of attempts is causing high load on servers and that has caused web hosts to block access to the WordPress login page while attempting to deal with this. If your website is hosted on a server shared with websites being targeted it can impact your websites even if you are not targeted.
Hostgator has reported seeing over “90,000 IP addresses involved in this attack”, which means that a web host cannot simple block a few IP address to stop the attempts. That also provides a reminder that limiting login attempts by blocking IP addresses after several failed attempts has a serious limitation as security feature when massive amount of IP address are available for an attack.
While security of the login process can be improved by restricting login access to certain IP addresses or using multi-factor authentication, websites can prevent an un-targeted login attack by making sure only strong passwords are used.
When it comes to internet security one of the most basic steps is keeping your software up to date. In sign of how poor the state of internet security is, even security companies are not taking such a basic step. The US website of Kaspersky Lab, which the New York Times has described as “Europe’s largest antivirus company“, is running a very out of date version of Drupal:
Kaspersky Lab has failed to update the software for over two years, the next version Drupal 6.20 was released back in December of 2010, and they have missed the last 4 security updates. Updating between versions of Drupal 6 is relatively easy, so there isn’t any excuse for a tech company not being able to keep it up to date.
Kaspersky Lab is not alone in this, last year we posted about Panda Security’s failure to update software running their websites even after some of their websites had been hacked.
You can check if Drupal websites you visit are keeping the software up to date with our Drupal Version check extension for Chrome and Firefox.