|

New XML-RPC Brute Force Attack

XML-RPC Brute Force Attacks

I told you so.

And I hate it when I’m right about this stuff.

Earlier in the week I posted that you should get XML-RPC turned off on your site. Sucuri just released confirmation that is one of the new attack strategies of the recent bad bot attack. This is different from the XML-RPC exploit to use your site in a DDoS attack. This one is to use XML-RPC to get your login credentials and do a Brute Force attack. In other words, the bots want to break down the front door to gain entry to your site.

How to Disable XML-RPC

Want to see my post again now on how to disable XML-RPC? Here ’tis. 
Post was UPDATED on 7/30/14 with new info and test results, plus a new way to turn XML-RPC completely off.

Protecting My Client Sites

And, this is the same type of security measures that I told you about in this week’s Tips Tuesday too, and that I’ve been staying up until the wee hours of the morning getting all of my client sites protected from. And I’ve been taking it a step further than what’s in that post and here’s why.

None of the standard Brute Force attack plugins can protect against this type of XML-RPC call. Extra measures have to be taken.

Attacks Up 10 Fold

Sucuri is reporting the attack rate has increased 10 fold. And the bots are going for the easy passwords to break. Folks, if you don’t do anything else, at least get a super duper strong password everywhere on your site, not just the login. Get it on the database and anything else that requires authentication.

Security for Non Geeks

Here’s more easy to understand info on DDoS attacks, Brute Force attacks, and site security.

DDoS Attacks, Brute Force Attacks, and Site Security

How Site Performance and Security Work Together

900 Botnets Ready to Attack Sites

Backup Backup Backup!

And by all means, get a good backup system in place. One that gets your whole root files, WP core files, theme, plugins, database, everything. Store those backups off site. And be sure the backups are easy to restore.

I use BackupBuddy (aff link) on my sites and install it on all of my client sites. And I store the files on Amazon S3 (AWS).

Here’s a free report with 14 backup and storage solutions, plus important setting info.

It’s Not Over Yet

From the info I’ve been able to gather, it’s clear that the bots are probing and testing new attack methods. They haven’t taken down whole server farms yet, and are not setting off major fire alarms yet. In fact, most hosts are adjusting and keeping pace by limiting resources on shared hosting accounts a bit more often.

That’s the scariest part of all.

Hosting Resource Overages

Hosts constantly advertise unlimited everything for $4/mo.

The days of throwing multiple sites onto a single shared hosting account are over.

Every one of those sites is chewing up your system resources. During high bot attack periods, the host will limit your site for resource overages. During those times, your site is not available to the public.

If you have cPanel, go to Logs > Resources. You’ll see just how many times your site has red lined for CPU and Memory overages. Go to Logs > Bandwidth to see overages with that.

So, on shared hosting, unlimited is not really unlimited.

Hidden Security Holes

  • If you have a bunch of abandoned sites on your account, every one of them is a major security hole.
  • If you simply deleted an abandoned site, but did not remove the add-on domain, it’s unsecured FTP account, or its database, every one of those is a major security hole.
  • If you have a bunch of old domains all redirecting to another site, you’re also sending all the bad bot traffic from them to that one site.

Get Serious About Security

Site Audits are the only way to check all of the security holes and performance drains on your site.

I do site evaluations and audits at levels from live, :30 minute sessions where you see what I see all the way to the same full performance and security audits I put BlogAid through.

Every part of your site has to be taken into consideration including your hosting environment, plugins, theme, content type (just text or lots of images), and so much more. There’s no way to adequately cover all of the conditions and solutions in a generic post because there is no one-size-fits-all fix.

Just Do It

Site security is just not something that can be put on ignore anymore. All sites live in bad neigborhoods now. I don’t care who your host is. The Internet is full of bots and hackers and all manner of ne’er do wells and miscreants because there’s a lot of money for them to make. A whole lot of money.

So, just get it done. And keep it secure. And sleep easier.