Are you hurting your website?

01 Dec 2016

Are you hurting other people’s websites?

Well, are you? To find out, answer the following questions:

  1. Am I running a WordPress site?
  2. Have I done anything to protect wp-login.php?
  3. Have I done anything to protect xmlrpc.php?

If you answered yes to number 1, and no to either of 2 or 3, then the answer is yes, you are hurting your website, and on shared hosting every other website on the same server. How? Well, hackers are continually trying to gain access to websites; for every attempt they make, the server has to:

  1. Handle the connection
  2. Pass the request over to PHP for processing
  3. WordPress then has to query a database to validate the authority of the request
  4. Close the connection

This doesn’t even include all the other checking, tracking and logging that goes on behind the scenes.

As you can see, that’s quite a bit of server overhead involved for every request. Since hackers are persistent and relentless, it’s not just a couple of requests with plenty of time between each one, it’s continuously happening!

Q&A

What does this mean for your website?

Well, as we’ve already stated, this all creates a load on a server (which can only handle so much). The higher the load gets, the longer a new request has to wait to be processed. This means it takes longer for the user to get a response from your site, i.e. your site gets slower.

How do you know if this is happening to your website?

Well, you can look at the logs for your website (these are available to our customers over FTP).

Each of these lines above is a separate failed attempt to login to your WordPress site. You'll probably see a lot of these.

Each of these lines is a separate attempt to access your website using XML-RPC. This is even worse than the wp-login.php entries as those are a single login attempt per line. With XML-RPC it’s far, far worse! Each request can contain multiple login attempts in a single query. Each of those four lines you see above could easily represent 1000 login attempts. That’s a possible 4000 login attempts in just 20 seconds.

Do we see many of these?

Put simply, yes.

How many?

According to the daily logs on the 3rd November there were 1,866,342. That’s not individual login attempts, that’s xmlrpc.php requests, and that was just on a single server.

Why don't we just block them?

For the wp-login.php attempts, we have a very good reason for not blocking them. None of you would be able to login to WordPress at all – ever.

For the xmlrpc.php attempts, trust me, we (and pretty much every other hosting company) would love to block them completely. However, it does have valid uses, and we can’t just cripple parts of a customer’s website.

So what can be done?

What we do is block access based on how many failed requests are made, over time, from the same IP address. The more requests that get made from a given IP, the longer it gets banned. Unfortunately, the sheer number of different IPs trying to make connections means that a lot of these requests still have to be let through; we can’t know as quickly as your website can which are legitimate failed attempts (e.g. mistyped password) and which are hackers. This means that we have to be more lenient with blocking these attempts than you can be.

So how can you help?

Well, for WordPress sites, you can install WordFence. It’s a great security plugin and it will give you much more control over who can log in to your site. e.g:

• You can choose to block a whole range of IPs.

• You can block specific browsers if your site doesn't work with them.

• Check the number of failed attempts from a given user, and block them.

• Block further requests from IP address where an attempt to log in with an invalid username has come from.

• Want to host sensitive data about the recent US election, and worried about getting 'hacked by Russia'? You can block access from an entire country

The latest versions will also completely block access to xmlrpc.php (this can be changed if you do use it).

What if you want to use xmlrpc.php?

You can restrict access to it by installing the Jetpack plugin, ( you’ll need a wordpress.com account to activate it). Once it’s activated and you log into WordPress, it’ll ask to ‘jump start your site’, you can simply click the skip link and the plugin will automatically start protecting you.

To customise access further, you can go to the Jetpack dashboard and click the gear icon, here you can whitelist any IP’s which you want to make sure always have access to the XML-RPC functionality.

Further steps

So, that covers people attempting to log in to your site, but we can go further…

  1. Is the WordPress installation fully up-to-date?
  2. Are the themes fully up-to-date?
  3. Are the plugins fully up-to-date?
  4. Do all your contact forms include some kind of CAPTCHA code protection?

If the answer to any of these is no, then there’s also a good chance that your site can be compromised. Once that’s happened, it’s very likely that your site will be trying to create lots of spam emails, or be performing DDoS or brute force attacks against other sites. Even if it’s not doing any of these things, it does mean that a hacker has access to your data or your customers’ details.

To state the obvious: this is not a good thing. These updates and patches are not there just to add new features and functionality to your site. They’re also to fix known security issues. Every update/patch you don’t install is a potential route in for hackers to take over your website.

And, for all you non-WordPress users, stop looking so smug! Other CMS systems are similarly vulnerable. So if you’re using Joomla, Drupal, Vbulletin, etc., this all applies to you as well.

We’ve recently started migrating all of our hosting services over to a new architecture, with a new control panel. Along with this, we’ve also started using a package called ISPProtect, which scans all of our customers’ files daily for viruses and malware. ISPProtect also goes one step further and lets us see which sites are using content management systems that have updates available, which WordPress sites have plugins with updates available, which plugins have known vulnerabilities etc.

We know these systems will let you know that updates are available when you log in, but we also know that many site owners don’t log in every day (in fact, many of you will only log in if you have a change to make). This could mean extended periods before finding out that updates are available, leaving your site vulnerable during this time. Since patches and updates seem to be coming out at an ever increasing rate, it’s tough to keep on top of.

That’s why to make life easier and simpler for our customers, we are launching maintenance packages for WordPress. You can find out more about them here. We may consider launching similar packages for Joomla or Magento if we find there is a demand for them.

In a follow-up blog, I intend to go into how better to monitor your website and make it easier to clean up if the worst happens and a hacker does get through all the layers of security.

* we have no affiliation with any of the 3rd party software providers mentioned in this blog, recommendations are made purely on our own experience as implementors or end-users of any such packages.

About Lee Musgrave

Lee manages all the servers and hardware at SCL i.e. the logistics. This involves making sure hosted sites remain active and stable and keeping the hardware operational.

One thought on “Are you hurting your website?

Leave a Reply

Your email address will not be published. Required fields are marked *