Important information for WordPress users - Heart Internet Blog - Focusing on all aspects of the web

Update 23/04/2013: We have now introduced a page with a captcha to help address the ongoing attempts by the botnet to access WordPress and Joomla websites. When you go to your admin/ login page you will be asked to enter the captcha to continue. We feel this is a more elegant, user friendly and secure approach. The page looks like this…

Website security captcha

Web hosts across the world are currently experiencing a huge DDoS attack that is specifically targeting WordPress installations on shared hosting platforms.

A number of other web hosts have started removing access to wp-login; however we don’t want to do this as it mean you can’t access your website’s WordPress control panel. We are going to add an extra layer of security to help fend off this attack and still give you access to your control panel.

Whilst this attack is on-going, you may find that when trying to login to your WordPress Admin you are prompted for a username and password not previously required (in addition to your usual login details). The credentials for this login are:

Username: protected

Password: wordpress

This automated attack is affecting WordPress websites globally and is not targeted at a particular web host, which is why we’re happy to make the login details above public.

As soon as normal service is resumed, this prompt will be removed and the above credentials will no longer be required. We appreciate your patience during this time, and will update www.webhostingstatus.com once this has been resolved.

Subscribe to our monthly Heart Internet newsletter, filled with the latest articles about web design, development, building your business, and exclusive offers.

Subscribe now!

Comments

Please remember that all comments are moderated and any links you paste in your comment will remain as plain text. If your comment looks like spam it will be deleted. We're looking forward to answering your questions and hearing your comments and opinions!

Leave a reply

  • Andrew

    12/04/2013

    Thanks for the headsup

     
  • gavjof

    12/04/2013

    Thanks. If you’re following things on Twitter you may find CloudFlares’ post of interest:

    https://blog.cloudflare.com/patching-the-internet-fixing-the-wordpress-br

     
  • Buzz Killington

    12/04/2013

    You’re posting this on a publicly accessible blog. You guys are idiots.

     
  • 12/04/2013

    No we’re not, and we don’t appreciate being called that either.

    This is an extra layer of security before the normal WP login interface. It is not a replacement. The attack is automated and is not specific to us. The person(s) undertaking this attackwill not be aware of this password.

     
  • Steven Chamberlain

    12/04/2013

    Hi Matthew;I’m seeing this same attack against ~1200 WP sites I manage hosting for.I count around 50,000 bots participating in the attack, globally distributed but particularly from Brazil / South America.They are using a randomised User-Agent of popular browsers.I’m still trying to figure out how to mitigate this myself….

     
  • Heidi

    12/04/2013

    Thanks HI, your support staff were very helpful when I got in touch for an explanation about the issue. Excellent support service as always.

     
  • 12/04/2013

    Hi Heidi,

    Thats great, thanks for that.

    Cheers

    Matt

     
  • Admin

    12/04/2013

    Hire an administrator… a real one who knows iptables a bit and knows what do to with that and how to use it against a DDoS… your solution is very lame.

     
  • 12/04/2013

    Our system administrators provided this response:

    “That would involve checking a packet against 65,000 individual rules before it’s allowed through – bit of a burden to the server doing the checking (not to mention the poor bugger who has to enter 65,000 rules). As hackers change their IP address, that would mean creating 65000 *different* rules, not to mention blocking genuine visitors.”

    Hope that provides a bit of clarity 😀

    Jenni

     
  • Pete

    12/04/2013

    I can’t tell you how annoying it is to find out about this from a worried client phone call rather than from yourselves. Why on earth don’t you notify your reseller customers by email? The whole point of having a reseller account is that, from the point of view of my clients, the service is being provided by me. So I look pretty stupid when I get a phone call asking me what’s going on and I haven’t a clue. This is not the first time services have been blocked without any proactive notification from yourselves.

    I understand that in the complex world of web hosting things like this will happen and you’ll need to take swift action. All I’m asking for is an email from yourselves which contains a brief overview of the situation. You’ve blogged after all so it’s not really any additional effort on your part and it would make me and your other reseller customers feel like you actually value our business and money.

     
  • G

    12/04/2013

    I am disappointed with the two negative comments you have received so far.

    First and foremost “Buzz”, name calling like that is pathetic and childish. You should not insult people that you don’t know. I suggest you learn how to be civil!

    Secondly “Admin”, if you think you can come up with a better solution to what they have proposed, why don’t you help them out?!

    If you guys want to query Heart Internet’s work, why don’t you do it in a normal manner.

    “Heart Internet” thanks for the heads up on this, I do think you need to inform your clients directly such as an email regarding this change you are implementing as some people might get confused.

    I’d be interested to find out how you implemented your solution. Are you able to share that information?

    Many thanks,

    G.

     
  • Matt

    13/04/2013

    Anything to help protect our sites from these stupid attacks (without disabling access) is much appreciated and as always I find you very helpful and responsive.

    As mentioned above CloudFlare are providing an option and available under there free package, but this is hassle and slightly technical which will put off many users. However there are some great plugins that help with security, one of which: WP Better Security (https://wordpress.org/extend/plugins/better-wp-security/) – no affiliation – offers basic hardening of your WP site and prompts the user so not even the most technical can do basic hardening, to help reduce certain attacks, including renaming your account name if admin etc…

    As these attacks are currently bruteforce on admin logins (for accounts named ‘admin’), would it be possible for your custom install scripts force users not to use certain ‘common’ administrator usernames? as some systems/scripts offer. I know this wouldn’t stop all forms of attack but definitely would help in this instance.

    Keep up the good work.

     
  • Gary Hughes

    13/04/2013

    Thanks for acting fast on behalf of your costumers and for making it clear in as many places as possible what’s going on. This is a good temporary solution that’s secure enough (bots aren’t going to read blog posts and I doubt WordPress installs hosted on Heartinternet make up a significant enough percentage for the bots to adapt) without locking users out of their sites.

     
  • Nutt

    13/04/2013

    Hi guys,

    Thanks for keeping on top of things. It would however have been useful if you had sent this info/warning out in an email to us as first i knew was a user calling me halfway through the night, saying their password was not working lol.

    I was also suspicious the site had been hacked as your little pop up didnt mention heartinternet just some random site. would have been better to have the page under heartinternet.uk domain

    Anyway keep up the good work.

     
  • Jonathan

    14/04/2013

    Thanks for information.Is that Cludfalfre setup anything worthwhile using.One could of course use a Worpdress plugin alled Limit Login Attempts to do eth same think.Just wiondering what thoughts anyone had on Cludflarfe.

    Also wonder why mindless idiots have to spend so much time pratting about at other people’s expense…!

     
  • Jonathan

    14/04/2013

    And why I can’t spellcheck my comments before submitting…. that was supposed to be Cloudflare..!!!!

     
  • Kas

    15/04/2013

    i’m not that technical and therefore easily made paranoid, but if the URL which come up in the redirect message were this page it would have saved me a anumber of minutes of panicking!

    I assumed that because it was a completely unfamiliar, generic domain (webhostingstatus.com)i was being sent to, my site had been hacked in some way – if i’d been directed to heartinternet i’d have felt much more confident that it was a genuine security measure from you guys!

     
  • 15/04/2013

    Hi Kas,

    We did that to protect our resellers – we don’t have the ‘Heart Internet’ name anywhere on anything that their customers might see 🙂 Thanks for the suggestion though!

    Jenni

     
  • 15/04/2013

    Thanks Nutt, we didn’t mention Heart Internet in the pop up to protect Resellers – can understand your concern though. All’s well that ends well!

    Jenni

     
  • 15/04/2013

    Hi Gabi,

    We’re a bit cautious about sharing the details for security reasons, but it might be something we could revisit in a slightly different way at some point.

    Jenni

     
  • Tom Fox

    15/04/2013

    thanks for being on it guys…

     
  • Chris

    15/04/2013

    Well done for taking preventative measures, but you should have sent an email out to your customers about this. Relying on social media and posting on your blog is not enough in this instance.

    A simple email explaining the issue along with your solution could have saved me the major headache of all of my clients asking why their passwords were not working anymore, with me having to rummage around twitter and your blog and check the authentication message (which doesn’t appear on iOS by the way).

     
  • Tom Fox

    15/04/2013

    Would be nice to have a nicely researched blogpost on wordpress security in general. Maybe this has been done already…

     
  • David Hardstaff

    15/04/2013

    Nice one – I appreciate you taking the effort to protect our sites. It confused me for a moment or two when it first came up, and refused to accept my normal logins, but it didn’t take long to google the message and arrive straight at this blog post.

    Thanks for being proactive!

     
  • 15/04/2013

    @ Chris and @ Pete I appreciate that being told by your customers must have been frustrating and I’m sorry that you feel we didn’t go about communicating the issue to our customers correctly. It’s something we’ll learn from and take forward in the event of us having to perform an action like this again.

     
  • Genieforge

    15/04/2013

    I heard the DDos is using the username admin in its attacks. Does it make sense to advise clients to change their admin username?

     
  • Genieforge

    15/04/2013

    BTW, thanks for the speedy automatic extra layer of security, we really appreciate it.

     
  • 16/04/2013

    It’s a good idea to change the admin username, yep.

    Jenni

     
  • 16/04/2013

    Our pleasure, we’ve had a lot of good feedback from people and it’s great to see.

    Jenni

     
  • Matt

    16/04/2013

    Hi,

    Thanks for this. My only criticismis that I had to google this. There was no way of knowing that the prompt during logging in was by heart internet. I thought the site had been hacked.

    Thanks,

     
  • Sam

    17/04/2013

    Great work and a better solution to blocking admin access. Only problem I have is on WordPress e-commerce site’s that require signup/login from the visitor as they will also see this pop up – which unfortunately leads to them leaving the site.

     
  • 18/04/2013

    HI Sam,

    Thanks, this whole situation has been a real balancing act.

    Matt

     
  • Greig

    18/04/2013

    Hi Guys,

    Thanks for the security update.

    But ever since you have up’ed your security I cant get any worpdress contact form plugins to work. Ive tried 3 so far, contact form7 (which was working fine), contact form and secure fast contact form. My client is going nuts.

    Any one else having this problem?

     
  • robf

    18/04/2013

    Yes, well done for an effective *temporary* solution, but I would agree that direct email notification to resellers of the problem would have saved a lot of time and confusion of clients, and would hope to see Heart implement this in future. As a reseller, its very annoying to hear of these problems from clients rather than direct from Heart Internet.

    I do hope the additional username/password requirement will be lifted very soon, as it continues to interfere with user logins (not just admin) on any WordPress site used by more than one person, and for this reason definitely isn’t a long term solution to the problem.

    I’ve also made suggestions via Heart’s feedback page of

    1) providing optional integration with Cloudflare’s service (as several other web hosts already do) – this isn’t possible at present as hosting packages are tied to heart nameservers.

    2) providing an RSS feed from webhostingstatus.com so that notification of any issues is immediate.

    Thanks,

    robf

     
  • 19/04/2013

    Hi Greig,

    We haven’t heard of anyone else with this issue. The extra login has been removed now. If you are still having problems I’d recommend contacting support.

    Cheers

    Matt

     
  • 19/04/2013

    Hi Rob,

    The extra login has been removed now. In the future, if there is a similar attack,we are going to redirect traffic to a page that confirms the user is human via a captcha. This page will be brand free.

    Cheers

    Matt

     
  • robf

    19/04/2013

    Thanks, Matt, that sounds preferable.

    Are email notification of similar attacks, integration with Cloudflare, and RSS feed for webhostingstatus.com being considered?

     
  • 22/04/2013

    Hi Rob,

    These ideas have been passed on to the relevant teams to discuss.

    Cheers,

    Rob

     
  • Euan Brunton

    23/04/2013

    I didn’t think it was possible to change the username in WP once it had been set? Can anyone shed some light on this please?

     
  • 23/04/2013

    Hi Euan,

    The botnet is looking for WordPress and Joomla users who are using “admin” as their username. It isn’t looking to change the username, it is trying different password variations to get in that way.

    Cheers,

    Matt

     
  • robf

    23/04/2013

    Hi Euan, with WP to change username from admin, login as admin, create a new username with admin privileges, then delete username “admin”

    Cheers,

    Rob

     
  • robf

    23/04/2013

    Thanks for feedback re email notification, cloudflare and RSS.

    Re Captcha, thanks for continuing to be proactive in blocking attacks, but please consider using easier to read and less complex captcha – I just had to refresh captcha seven times (!) before finding one I could read, and feedback from users and clients on some of my other wordpress sites hosted with Heart is already that other legitimate users are having similar difficulty!

    Thanks,

    Rob

     
  • Steve Cooke

    23/04/2013

    I think what Euan is referring to Matthew is the advice that’s been given earlier in the comments that “it’s a good idea to change the admin username”. As this screenshot demonstrates, the WordPress dashboard doesn’t allow this:

    https://i.imgur.com/sTUMxWM.png

    I think the most straight forward way to get around this limitation is to create a new admin user with the new username as required then log into that new administrator account and simply delete the old one.

    Hope that helps!

     
  • 24/04/2013

    Hi Rob,

    That’s not something that we have noticed ourselves, it may just be the luck of the draw, but we’ll keep an eye on it.

    Cheers,

    Rob

     
  • Chris

    16/05/2013

    Hi, Matthew when you added a confusing login last time I commented saying you gave no prior warning and AGAIN – no prior warning is given when you have changed it.

    You answered with the following:

    “@ Chris and @ Pete I appreciate that being told by your customers must have been frustrating and I’m sorry that you feel we didn’t go about communicating the issue to our customers correctly. It’s something we’ll learn from and take forward in the event of us having to perform an action like this again.”

    So I ask you why didn’t you email your customers, especially your resellers?

    I’m now faced with my customers contacting me to ask if I can remove the CAPTCHA screen as they cannot read it properly and why did I add it without consenting them first.

    Finally, your update says 23/04/2013 – The CAPTCHA didn’t appear for me or my customers until this morning?

     
  • 16/05/2013

    Hi Chris,

    The threat is an ongoing issue, it hasn’t gone away. The CAPTCHA is added to websites using WordPress on servers that are being targeted. This is nota new issue, and we don’t need to have a blanket on/ off for all servers, we can protect specific servers with out having to affect everyone else.

    We are the most proactive web host out there to protect our clients’ websites, this is preventing WordPress user’s websites being hacked.

    Cheers

    Matt

     
  • teresa

    16/05/2013

    Did you remove some access’ to wp-logins? i used to get the captcha screen but now it suddenly seems like the wp admin panel access got removed?

     
  • 17/05/2013

    Hi Teresa,

    We haven’t taken any action that would cause this, if you could contact our support team they’ll be able to investigate further for you.

    Cheers,

    Rob

     
  • D Jones

    12/07/2013

    We’ve run into an issue with this. If you choose to password protect a specific page in your site, this uses wp-login, so it is throwing up the additional Heart Internet captcha in the middle of the process. Once you enter this captcha, the original password protected page then fails to load – the Heart Internet process interrupts normal working of the password protection.

    Any way round this?

     
  • 12/07/2013

    Hi,

    Thanks for your comment. Please raise a support ticket with the details and our team will investigate this for you.

    Cheers,

    Rob

     
  • Lazzarus

    25/02/2015

    Could you make the captcha responsive at least? we cant login from mobile…
    what if I send the password you just shown to the hackers how safe is that???
    even captcha is lamely done…

     
  • Jenni

    26/02/2015

    Hi Lazzarus,

    We use it regularly on our own installs from mobiles with no issues. Please raise a ticket with our support team with the specifics of the device and operating system and they will advise/investigate.

    Thanks,

    Jenni

     

Comments are closed.

Drop us a line 0330 660 0255 or email sales@heartinternet.uk