A few days ago, a glut of http requests started showing up on the server, followed by failed login attempts. Naively, don't pay attention to it. This morning I woke up with all the server pages down and with the correct access to my Worpress account. I do not know what to do. Could you help me please?
Details: The server is Hostinger and the antivirus Wordfence
CodePudding user response:
If I understand correctly a bruteforce attack succeeded and they logged into your wordpress account and your pages are deleted or somehow down.
If that's the case its not much you can do now, but:
Do you have a backup o restore from it? If not plan a regular backup for the future.
Check the firewall logs for IPs that made higher than normal requests. Once identified, add them to a blocklist in the firewall.
Add 2FA to your accounts.
Add rate limiting to your login attempts (3 per minute should be enough, followed by a 5 minute login ban)
Block attacker User Agents that seem to DDOS your infrastructure.
CodePudding user response:
Dealing with an ongoing DDOS attack is more specific to security.stackexchange.com and usually not CMS-specific, so if the attack is still happening I recommend you check there for help first. This answer assumes the attack has ended but you still can't access your site, and attempts to deal with regaining access and then preventing future attacks.
Regaining access
Since you mentioned WordFence I'll start with pointing out that they offer a site cleaning service (paid, showing a $490 quote at last check) that comes with a 1 year subscription of their Premium service. If you want to throw money at the problem to make it go away, that can be a good option. The hosting provider you mentioned (Hostinger) also shows all their plans providing a "managed WordPress" service, so you should contact their support team to see what they can do to help you as well. These two options are likely the fastest solutions, at opposite ends of the cost spectrum.
Regarding recovering the site yourself, and preventing future attacks, there are a few things to check. In order:
Before anything else, grab your backups
- If you have existing database and filesystem backups, make sure you know where those are, and pull copies of them onto a system you trust hasn't been compromised. If everything else fails these will help recover your site.
- If you don't have existing backups, see if you can back up the current state of your site. Backups of a compromised site should be treated with caution, but can still be useful to recover lost data if the site has to be wiped clean and rebuilt. If you can't log in to the WordPress admin console, this will probably mean logging into your web hosting console (see below) and grabbing a zip archive of the folders that contain your site, as well as using PHPMyAdmin or another interface for your database to get a full database backup. How you take a backup of your database will depend on what's available to you, but the WordPress documentation has good walkthroughs for a few common options.
Can you log in to your hosting platform?
- If the answer is "no", then you've got a bigger problem and should immediately contact your hosting provider for support. The problem you described above doesn't sound like it'll go this way but double check to be sure.
- If you can, and if you have file system access (via cpanel, ssh, or another option) check that your WordPress files are still where you expect them to be. If they've been deleted or replaced, that's a solid sign that your system has been compromised and needs to be properly cleaned. That's beyond the scope of this question, but if you have recent full backups of everything you may want to skip right to a full reset of your hosting environment including removing all users and API-based access and rebuilding from scratch. Contact your hosting provider for help with this.
Is your site responding to requests at all?
- Try visiting your site's url, and try pinging that url. If you have a dedicated server try pinging that server's IP address as well. If you get a response to the ping, but not to any attempt to connect with a web browser, then it's possible the webserver daemon (the program that actually handles requests to your website, usually Httpd, Nginx, or LiteSpeed for WordPress sites) has crashed and failed to start again. If you have control over the server (virtual machine or physical hardware) you could try restarting it and checking again, but most hosting providers like Hostinger don't give you that level of control.
- If you see responses at your sites URL, but it's not your site, check the DNS to make sure it's still pointed at your server. If it is, your server is compromised. If it's not, your DNS records and management account have been compromised. In either case, you're in a bad way and REALLY need to talk to your hosting provider about getting access restored. While you're at it, reset your passwords, all of them, and make sure you're using a password manager and not reusing passwords.
- Do you see an error message or a white screen? An error message will give you a hint about what's wrong -- 404 means the webserver is up and running but the page couldn't be found, and the contents of a 404 page will tell you what IS running and responding (whether it's a WordPress 404, or Apache or Nginx saying it can't find your WordPress files, or something else). A blank white screen usually means something in your WordPress site caused an unrecoverable error and you'll need to enable debug mode and check the debug log for more details
- If you're not getting an error from the webserver or a blank white screen (most likely your browser will say "can't contact server" or something similar) then your webserver isn't responding and you may need to restart it or check that its configuration is valid. That's a bit more in depth than this answer will go and varies based on which webserver you have and how much access you have. Check with your hosting provider whether they can help you if this is the case.
Do you have a WordFence Central account?
- If you set up a WordFence Central account before this happened, and you have it connected to your site, log in to the dashboard there and see what it tells you (if you didn't have it set up before, skip this step, it won't help you today but might in the future). This might give you more info about the status of your site and what happened, or it might just tell you something like "cannot connect to site". Either way it could be helpful to know more about what WF Central is seeing.
Does your site have an
.htaccess
file or other permission setting mechanism that you can access?- If you can't get to your site, it's possible something has changed in one of these to prevent access. Permission controls are also very useful for prevention but more on that later. Check that the permission controls in your hosting environment haven't been changed. If they have, and you didn't make the change, you're compromised, so go talk to your hosting provider about getting help. You can try removing the
.htaccess
file (make sure you keep a copy, in case that's not it) to see if you regain access to your site. Put it back where it was if that doesn't fix it -- it was there for a reason.
- If you can't get to your site, it's possible something has changed in one of these to prevent access. Permission controls are also very useful for prevention but more on that later. Check that the permission controls in your hosting environment haven't been changed. If they have, and you didn't make the change, you're compromised, so go talk to your hosting provider about getting help. You can try removing the
Those are all the hypothetical causes that come to mind, but if you can answer some of those questions in edits to your question or in comments I can try to elaborate further. Now, on to prevention
DDOS Prevention
DDOS attacks rely on overwhelming a server through a couple of means. We'll focus on three attack types here: botnet swarms (a true DDOS), vulnerable server software (technically this may be a DOS, not a DDOS), and automated exploit kits (they may take your site down accidentally, or as a result of successfully breaking in). You should protect against all of these, regardless of what actually caused your problem, because you'll eventually face all of them anyway.
If you're targeted by a botnet, you're going to see a huge spike in traffic that's not actually legitimate. The best ways to handle this are to block it on the network before it gets to your server, or to have the webserver block it before it gets to WordPress. The less malicious traffic that reaches your server and your WordPress install, the better. WordFence won't do either of these, but if you have a CDN like CloudFlare in place, you may already have network-level blocking -- look for something in the dashboard that mentions firewall or (D)DOS prevention. If not, you may need to set up a Web Application Firewall (WAF) on your server, or as the entry point in the network that then routes to your server. Do your research on good WAF options -- there are likely lots of good answers here that explain what to look for regardless of what type of web application you have. Worth mentioning here that some of these tools (including CloudFlare) have an "under attack mode" where you can make the security rules more strict if you're experiencing frequent attacks. It may mean some legitimate traffic gets blocked or throttled but that could be the difference between a slightly degraded user experience and a site that goes down.
WAF and CDN protections will help reduce malicious traffic, but you also want to block known bad actors and known/suspected bad activity. WordFence has good settings for this, as do other security plugins, but you should make sure they're enabled. Check that repeated failed logins are blocked (keep the number low -- 2-5 failed logins for instance) and make sure that any other security settings are enabled unless you have a good explanation for why you want to disable them. Consider requiring 2FA for administrators as an added precaution.
WordFence will help prevent attacks from known malicious IPs, and will complain if you have out of date plugins and themes, but that won't help if you don't update those plugins and themes. Exploit kits are (often free) software packages that are used both for security testing and for malicious attacks against websites, and every time a WordPress plugin has a new vulnerability discovered, it's not long before those vulnerabilities get added to a number of exploit kits. If possible, set all your plugins and themes to auto-update (same for WordPress core), and check periodically that it's all up to date. If you can't enable auto-update, make sure you are updating at least weekly, and consider subscribing to some WP security blogs (the WordFence newsletter is a good option here) so you get at least some notification when there's a major vulnerability that needs an emergency update before your weekly updates.
That covers a lot of ground, and there are probably some details missed. If you share more info about specific issues you're seeing I can update this answer accordingly.