For past several weeks DDOS attack has been a cause of many bloggers’ wrinkled faces (mostly WordPress users). Isn’t it? Unfortunately, I am one of those bloggers affected. A few days ago I lost almost all the contents of one of my websites.
Not taking backup on a regular basis was my stupidity and DDOS attack takes the credit for all my loss. These restless nights made me glued to computer and be wired to research into this. It has taught me a lot which can surely help you if are blogging or to start it. It’s always wise to learn from other’s mistake. Doesn’t it make sense? , If I tell you then why would you commit the same mistake which I made?
My Mistake
I was hosting my website on a free web hosting company. So when this attack spread, almost all webhosting companies became cautious. They started blocking the “wp-admin” page of WordPress websites to ensure that their customers’ sites are secure.
At the same time the hosting companies informed their customers that their servers were hit by enormous requests which were making their server down.
When I saw a red alert in my CPanel about DDOS attack, I did not read it carefully. I just thought my site was hacked and this DDOS was kind of some hi-fi stuff.
I tried logging into my website through the “wp-login” and Boom!! I was returned with an error page of the hosting company.
Now I was in panic. It was my time to act (or I thought so). I thought I was doing a smart thing but I deleted the contents of my site using CPanel thinking that my site was hacked. Then I went ahead and downloaded a WordPress and did a fresh installation.
But to my dismay, I was unable to login to “wp-login” still. Now, that was really weird. And this was time to find out what went wrong. I had done this installation a number of times the same way. And it was successful always.
So what was wrong this time?
As I have mentioned above that the previous hosting was free, I was unable to find a way to contact them. There wasn’t even an email id of support or technical team. Tap..Tap..Click..Click..Giant Google Grandpa helped. So here is what all I learnt from it and I am going to share with you:
- What is this DDOS attack?
- Matter of concern for WordPress Users?
- Who are the culprits and how is it achieved?
- Precautions?
What is DDOS attack ?
DDOS stands for ‘Distributed Denial Of Service’ or sometimes also abbreviated as ‘Denial Of Service'[Dos]. According to Wikipedia, it is an attempt to make a machine or network resource unavailable to its intended users. Although the means to carry out, motives for, and target of this attack may vary. It generally consists of efforts to temporarily or indefinitely interrupted or suspended services of a host connected to the internet.
Matter of concern for WordPress users
Privacy researchers have diagnosed a continuous bombard that uses numerous computers from across the Online world to commandeer servers that manage the WordPress platform blogging software. The unidentified people behind the exceptionally distributed attack are utilizing more than 90,000 IP addresses to brute-force corrode/crack administrative credentials of sensitive and vulnerable WordPress systems, analysts from more than three Web hosting services disclosed.
An enterprise forewarned that the attackers might be along the way of constructing a “BotNet” of affected computers that’s extremely more powerful and even more devastating compared to those currently available. That’s mainly because the servers gain bandwidth connections which are characteristically tens, tons of, or even thousands of times quicker than BotNets constructed of influenced systems in house and small enterprises. These larger machines can cause much more damage in DdoS distributed denial-of-service attacks because the servers have huge internet connectivity so are good enough instilling a substantial amount of traffic.
Who are the culprits and how do they achieve it?
It is not yet clear who is behind this massive DDOS attack ever seen before. On the same time US intelligence are suspecting Iran to gain access to US Banks though it’s not yet confirmed by any government agency Iran or Iraq or Saddam or Osama Bin Laden [lol]. The attacks which started in September 2012 do not focus on stealing away money, but on knocking the bank servers down by excessive automated requests generated from the Bots. The affected banks include Bank Of America, HSBC, Citigroup, Capital One and Wells Fargo. These banks have reinstated their websites and increased the security by employing professional hackers.
Now you might be interested to find out how do they achieve it. Isn’t it?
So let’s discuss how do they achieve such a massive massacre of your websites. These attacks send dummy packet of information at a rate much higher than the server’s ability to process them resulting in overloading of server and crashing away website. Of course it is nearly impossible to do it using one system. So, they make use of BotNet [RoBotNetwork] which is a collection of interconnected programs communicating with other similar programs to let their job done at a blazing speed.
And here they badly need your WordPress Administrative access which they can easily achieve if your user name is “admin”(the default one, so its recommended to change your user name from admin to something else) and Password is some word which is present in dictionary.
Shocking! Isn’t it?
What’s wrong if the password you have chosen is present in dictionary?
They already have your user name[ admin], next they need is your password. So to guess it they Brute-force the guessing process using words present in dictionary. And Bingo!! They are done. They have your password too. And they are having credentials of a number of other guys. Here they are with a powerful BotNet which is capable of getting any giant website down if it has even a small security loophole.
Precautions you should take to keep them at bay
- Keep continuous backups of your site contents using ManageWP or Backup Buddy or any plugin of your choice.
- Keep your WordPress version up to date.
- Change the default user id from “admin” to something else. Set the password like “op@uyi76!” which can’t be guessed by any Brute-force Dictionary Software.
- Prevent search engine crawlers from indexing your Admin area. You can do it by creating a “robot.txt” file in your root directory by placing the following lines of code:
-
# User-agent: * Disallow: /cgi-bin Disallow: /wp-admin Disallow: /wp-includes Disallow: /wp-content/plugins/ Disallow: /wp-content/cache/ Disallow: /wp-content/themes/ Disallow: */trackback/ Disallow: */feed/ Disallow: /*/feed/rss/$ Disallow: /category/*
- Protect your “.htaccess” by placing the following lines of code in “.htaccess” file of your root folder.
# STRONG HTACCESS PROTECTION</code> <Files ~ "^.*.([Hh][Tt][Aa])"> order allow,deny deny from all satisfy all </Files>
- Restrict the visitors to browse through your directories by adding the following two lines of code in “.htaccess” file of your root directory.
# disable directory browsing Options All -Indexes
- Secure your “wp-config.php” file as it contains valuable piece of information about your database. Add the following lines of code in your “.htaccess” file of root directory.
# protect wp-config.php <files wp-config.php> Order deny,allow Deny from all </files>
- Limit access to wp-content directory by adding the following piece of code to “.htaccess” file of your root folder.
Order deny,allow Deny from all <Files ~ “.(xml|css|jpeg|png|gif|js)$”> Allow from all </Files>
- Prevent your blog from unwanted script injection by adding the following lines of code to “.htaccess” file of your root directory.
# Protect from sql injection Options +FollowSymLinks RewriteEngine On RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR] RewriteCond %{QUERY_STRING} GLOBALS(=|[|%[0-9A-Z]{0,2}) [OR] RewriteCond %{QUERY_STRING} _REQUEST(=|[|%[0-9A-Z]{0,2}) RewriteRule ^(.*)$ index.php [F,L]
Good work, Ankit. It was an experience for you. With that, now you are much more prepared and aware of what could go wrong.
And now just that, you are able to guide others on this topic. This is what is learning is all about. You get up one more time than you fall.
Yeah Brother! It taught me a lot. I hope my experience could help other bloggers too.
Thanks for sharing your views.
Ankit
thanks so much for expensive information
You are welcome Nz DevSeven. I am glad that it helped.
Hey! Please Tell It,s Working On WordPress Multsite Or Not?
Dear Pradeep,
I hope all should work fine on multisite too.
Do let us know how does it go.
Cheers