Category Archives: WordPress

Dealing with DDoS attacks against WordPress sites and blogs

I’ve seen various figures on the recent increase in DDoS (Distributed Denial of Service) attacks from various sources, if you use the figures from this story in PCmag, which might me more of an advert for Arbor using just quantity of raw bandwidth, it has doubled in 6 months. I know that a number of my clients have seen far more the last few months, with one WordPress blog seeing spikes of 40,000 requests a second, where as last year it saw far less than half that, its easily handled though with 4 load balanced firewalls, but this is an entirely different story than what a small blog like this sees.

What I see on average sites and blogs built on WordPress, I say average as the vast majority of websites on the internet are made up of small points of presence for small businesses and opinionated people like me getting their thoughts out there, and WordPress is by far the most popular platform. We’ve also become a target, and for most of us the DDoS is not intentional, it’s the vast number of bots, both computers that have a trojan acting as a zombie and other compromised websites that are trying to recruit your website into their army, and maybe also steal your user list. Of course you might have also attracted some unwelcome attention from a competitor and the DDoS is intentional.

IPViking

you only need look at an attack map such as Norse to see what sort of attacks are going on right now, normally HTTP attacks are listed at number 2 after SSH, attacks at HTTP, port 80 mean attacks at the actual website. And they are mostly hitting the hosting companies of small websites such as mine, GoDaddy.

The most popular targets in this order are:

  • /wp-login.php
  • /wp-login.php?action=register
  • /wp-comments-post.php

Attacks against “/wp-login.php” are password guessing, while they seem to be totally dim at guessing the password to “admin” an account that doesn’t even exist, when you get hit by a few thousand in a short period of time, it can take you off line, causing you to run out of resources, while they might only be interested in hacking your server, they cause a DDoS. This is potentially by far the worst of the attacks, as they often infect the site with malware to infect the sites browsers, This can mostly be easily mitigated by just changing the login path from “/wp-login.php” to something else, and making sure the user “admin” does not exist. abusers rarely check what they are attacking, simply checking the name of the sites owner, or what url you actually login at, and this can be changed manually or simply using a plugin such as Rename wp-login, which also helps with the next issue.

Attempts to register at “/wp-login.php?action=register”, are the spammers trying to create accounts to leave spam on your posts. This can be very frustrating when you find 99.9% of your users are fake accounts, and I have seen relatively quiet blogs run at a snails pace when they notice and try to manage the 100,000 users they have accumulated over a number of years. This is quite ironic as I have seen this on business sites that don’t allow commenting, and have no reason for users to have accounts, and the reverse is true here, currently on this site I don’t require accounts to comment, which brings me to my third on the list.

fiverr-seo-backlinksSpam attacks against “/wp-comments-post.php”, while there is a market for “SEO Links”, this will continue, checking on the latest prices, the spammers are now offering quarter of a million spam “comments” on websites and blogs for $5 on fiverr.com, they do these even warning you that such back-links will negatively effect your SEO (strange eh?). Again, this will burden a small site, slowing it down, and I have seen   A way to control this that works (for now) is adding a captcha as I have done.

There is another recently used vulnerability,  “WordPress XML-RPC PingBack Vulnerability“, it’s existed for 7 years, but someone only just got around to deploying it, there is not much you can do if you are the target, but it’s fairly easy to block ping-backs so you don’t become one of the unsuspecting attackers. Because of the nature of this DDoS attack, using legitimate methods, it’s probably not even included in the attack map numbers above.

And then there is a whole list of other threats, not so easily listed as there are so many variants, exploits looking to take advantage of vulnerabilities in plugins, to avoid these issues, you can just don’t use plugins or when you do, only use well maintained and regularly updated plugins. But these are not DDoS attacks, quite the opposite, once they have compromised a site, they want it to be available so they can push their spam and compromise as many others as it can.

More and more sites are suffering, and these are only a few attack vectors that those trying to make a living selling back-links or those with far more malicious intent are looking to take advantage of.

It’s becoming far too many threats for most website owners to worry about, it’s easy for me, I’ve been doing this for years, while it doesn’t solve all security threats there is another option that works well, well I would say this as I do a lot of work for Sucuri as a firewall analyst :), and that is putting your site or blog behind a cloud hosted firewall such as CloudProxy, which filters all traffic and takes any beating for you.

 

Blog Spammers and which CAPTCHA, 5 reviewed

CAPTCHA, standing for “Completely Automated Public Turing test to tell Computers and Humans Apart” has been around since 2000, so was already fairly well developed when the bots started targeting blogs, guest books and wiki’s which are the main target of those peddling their commercial junk surfaced a couple of years later.

captcha

Over the years I have used many, both as a consumer and as developer, on projects the choice is usually left to me, what’s happened a couple of times is a default installation CMS comes with a CAPTCHA pre-installed to protect forms, normally a comment, contact or registration form, this will work fine for a couple of weeks, then when the bots find the page, it will inundate them with abuse.

Some forms like the talent application on ImageFolio are fairly resistant by design to abuse as they are asking questions which will mean very little to a spammer bot, the page name “become_a_model” will mean nothing to them, I have though left a very simple CAPTCHA there in case I need to improve on the feature in the future, and it won’t be too much of a shock to clients.

Quite often the CAPTCHA systems need to be tightened up on by increasing complexity, if it’s still not doing its job, replace it, I wish that wasn’t the case, but the bot developers are well funded, and the abuse must continue, the sales of backlinks on fiverr.com with prices as low as 1500 for $5 have to be fulfilled somehow.

My biggest problem with these spammers these days is not the actual spam, on blog installations it’s the sheer number of fake accounts they create, the actual spam is caught by a spam filter, but the abusers insistence on creating accounts even though I often allow commenting on sites without the need to log in, anonymous commenting.

Anyway, here’s a short write up on a few CAPTCHA’s I’m using on WordPress.

The criteria I will measure them by, are number of false positives (people miss-entering) compared to ability of spammers circumventing (spam comments or accounts).

botdetectBotDetect, they have a very wide variety of platforms supported, with free and paid options, the users of their library are impressive including many international Government departments. I haven’t opted yet for the paid version, the only advantage would be the removal of the branding which clients have not complained about. Classic fairly simple to read distorted text puzzle, I am guessing what gives it the edge on others are the changing backgrounds that challenge the Bots.

Setup is not simple, requiring not just the installation using WordPress’s add plugin feature, but also the need to upload the libraries to the wp-content folder and move to another directory. But once it’s there, it’s very simple with options to protect Login, Comments, User Registration and Lost Passwords, and the expected control of character numbers and CAPTCHA size. There is also an option to disable audio, I would suggest this is removed, I can’t think of an instance where you would want to exclude the visually impaired. Support for feedback and contact forms is missing, but I am told by the developer they are working on this feature now.

sweetcaptureSweetCaptcha, most CMS platforms supported, single free no strings offering, not the normal distorted text, but a drag and drop puzzle to solve, I have heard of some problems on certain devices when completing the puzzle, but have not seen the evidence and was unable to replicate, even my normally fussy “noscript” Firefox and antique Windows phone were happy with it, a unique fun design with some amusing themes which you can switch between, can be applied to any input form on a CMS from what I can tell. I have not seen a bot able to solve the puzzle, but I have seen a lot of users get it wrong first and second time, I have no idea why, maybe a language thing, in this case this case maybe I don’t know what Victors favorite colour is? I’d suggest they research their puzzles a bit more and add an audio option, which I think is essential and is noticeably missing.

UPDATE 9th June 2015: SweetCaptcha has been serving malware via their script, I am sorry to have recommended them, use at your own risk.

reCaptchareCAPTCHA, made and used by google, offered for free and fully open source, it’s bundled in a number of plugins for WordPress but not as a plugin itself, fairly easy to use only needing the input of a API key to get going after installing whatever plugin it came bundled with.  I believe for a long time this was the best available, I have seen bots bypass it, and quite quickly the developers improved it. But again, people do have a lot of problems reading the distorted text, to the point of giving up on them and resorting to the audio when they obviously have good eyesight. There is a variety of options, but not on puzzle strength, layout of the widget and colour / style options available. There is a large community of developers integrating reCAPTCHA into systems, which is both the reason abusers occasionally circumvent it and updates to code are quickly developed.

bestwebCaptcha by BestWeb, available stand alone, free and paid and bundled with many of Best Web Soft’s other popular plugins, which are all very simple to use, it’s simple mathematical challenges personally I find easier than any other, nearly second nature, I think the bots unless the text numbers are enabled (one, two..) don’t see this CAPTCHA as much of a challenge, I have tested this on some heavily targeted sites and it was next to useless in stopping the 100+ fake signups a day they were suffering. That said, many people seem happy with it. The fact that it is bundled with so many other plugins leaves me a little surprised that they haven’t improved on it.

sicaptchaSI CAPTCHA, I won’t go into too much details, for a long time it was good at what it did, stopping spam and their associated accounts, traditional distorted text, more readable (to me anyway) than most with few fails. Easy to install but does little to stop abuse now, I did hear that maybe spammers had found another way of bypassing the puzzle, not actually solving it, maybe even looking for forms that use this CAPTCHA solution, I’ve been unable to find a link to that discussion now, so can’t be certain, will update if I find it.

asirraAsirra, An interesting open source project sponsored by Microsoft that I watched develop for a few years, that leveraged humans unique ability and enjoyment of separating pictures of kittens and puppies, sadly after many attempts at bringing it to the masses Assira’s potential doesn’t seem to have been realized. I am sure themed versions would be very popular if they were applied to the subject matter of the site, say male and female models for a model agency.

Summary

For me, at the moment BotDetect, although still in beta has the lowest false positive (people miss-entering) compared to spammers able to abuse, very suitable for high volume traffic sites, anxiously waiting on their contact form support. For a light traffic site that is not being targeted that can get away with the unique look you should go for SweetCaptcha and any that can’t sorry I can’t really recommend one. Of course you maybe forced to use the solution supplied with your plugin (contact forms etc.), or may be you should choose your plugin based on the CAPTCHA they employ.

Keep in mind that the developers maybe fixing any shortcomings I have mentioned whilst I type, or that I am praising a solution that could be circumvented tomorrow, read the current reviews, and be prepared to switch out, maybe very quickly, which may not be so easy if they are tied to another plugin you are dependent on. Feedback on this article very welcome, of course not by spammers.

Migrating a large Blog installation from Movable Type to WordPress, lessons learned

movabletype_to_wordpress_migration

First, although Movable Type is rock solid, personally I like it a lot but a number of apparently unsurpassable issues have come up that negatively affect the client, the once vibrant open source community that supported MT is now gone leading to lack of innovation and due to lack of peer review has led to an exploit causing this client to have suffered a 2 week outage, and among many of the changes they have announced, they have now moved to the closed source model.

I have just successfully completed the management of a fairly large, very busy migration from Movable Type to WordPress for a client, I was already aware of a number of complications and risks in the early planning stages. Benchmarks set were:

  • To maintain all content, either as publicly accessible or easily restorable data if called for throughout migration
  • Keep serious user disruption to around 6 hours
  • Reduce page load times by half
  • Increase traffic with new subscriptions and more page views per user

The challenges and risks were, apart from the site seemingly being under constant DoS attack, not the physical size of the database itself which was 1gb, I have moved much larger many times, or that it comprised of around 50,000 articles, that wasn’t much of an issue itself, but more the fact that the Movable Type installation had been previously migrated from another unknown platform some 5 years ago, and again a few years before that, so there are articles with php, htm and html file formats, never having been normalized, an even bigger task were the nearly 1 million comments on the articles which have been created over the last decade using an unknown number of diverse commenting systems, which if you have looked at such a mess this creates you’ll know you have some, in this case many of 12,000 commentators of them are duplicates, either or both username and email address applied to more than one commentators account.

There was a lot of pressure on me originally 5 months ago when this migration was first discussed, to move the whole commentating platform to Disqus from various stakeholders, while their platform is very tempting and would have simplified my tasks considerably, the client was worried that their terms of service seems to allow them to switch off a sites commenting system without notice, and ownership of the comments themselves becomes unclear, if you ever wanted to move away and their general attitude to security raised concerns, this was settled totally when they did in fact leak confidential data last month, I’d already voiced my concerns early last year while working on another migration. So I have for the mean time settled with the standard default WordPress system, in full agreement with many others that there just isn’t a perfect platform out there yet. But at least I will be in a good position if it falls on me to migrate to one when it does turn up.

Quite a few redirect problems still exist in the system, monitoring the many 404’s and editing them in the meantime, I have a Linux system engineer with the right experience fishing them all out in the next few days, ideally removing as much from the junk that slows down a system in htaccess as possible and solving redirects from httpd. Another complication, a risk I was aware of was that I migrated the system within the same web server, causing no end of issues in having multiple .htaccess’s effecting either or both installation during and after migration I think next time I will insist that migration is to an alternative server for a similar scale migration.

Again, getting WP Super Cache configured right was key to handling the 5,000 visitors an hour, and the hammering Google and Microsoft’s spiders give a system with this much content.

Despite the false start a month ago when the client realized they weren’t prepared for the migration, it’s gone well, recovery was good, while many will say “bounce rate” is really more a webmasters vanity tool, I think as you see in this graph from Google Analytics below illustrates, that on the 20th the day of the migration many curious regular users were “poking around” the new platform, this subsided after a day, and is now starting to drop at a steady rate (the lower the better) as they are making use of the new features. I had set this as a benchmark and consider this a proof of success.

bounce

Keeping everyone happy throughout the migration and with the new platform we are now forcing on them to use is impossible, warning them of the expectations would have been desirable, but we intentionally didn’t inform browsers and commentators of the upcoming move which would have relieved the current pressure on helpdesk, but that was unavoidable as there are those that would have taken advantage of the migration (escalating the DoS attacks?).

Lessons learned, while redirects to the new rss feed worked fine, I was unaware that other sites were “fed” by a third party web feed management provider that failed to pick up content from the redirected xml, once the issue was identified, it was easily fixed, building and distributing a new feed with Google’s Feedburner.