Support » Requests and Feedback » Let’s plug up #1 way that viruses spread: wp-login.php

Viewing 5 replies - 1 through 5 (of 5 total)
  • Moderator Steven Stern (sterndata)

    (@sterndata)

    Support Volunteer

    What can we learn from this? My insight is that wp-login.php allows malicious visitors to probe for weak passwords and unprotected pages.

    Bots hammer WP sites all the time. That’s why it’s important to have a strong password and use a plugin like WordFence to block known bots and those trying to brute force your system.

    Renaming wp-login.php is great until you forget how it was renamed and can’t login to your site. But there are plugins that will do that for you.

    That is fine, but it doesn’t go very far as the evidence shows.

    I’ve written a program called wp-login.php to put on my websites (none of which run WordPress). This program keeps a record of each caller and replies with a threatening message. I hope it does something about all these malicious users who exploit the poor passwords and other security holes in WordPress.

    So far, I’ve learned that most of these probers are single-use IP addresses. I have learned that some unscrupulous hosting companies have paid arrangements with regional Internet registry organizations like ARIN and RIPE to obtain as many IP addresse as they like.

    While it may seem like the malicious probers are anonymous and cannot be touched, their very connections with these standard IP providers are their weak point. Programs like my wp-login.php could become honeypots to provide antivirus services with lists of malicious IP addresses which could then be traced back and put out of business quickly through their ISP, hosting, or domain name registry dependencies.

    Also, perhaps someday WordPress itself might become more responsible in reducing the amount of malware that is distributed through it. There is a lot that WordPress itself could do to put the malware purveyors out of business, or just to block them from posting viruses. All it takes is the will to accomplish greatness.

    Moderator Steven Stern (sterndata)

    (@sterndata)

    Support Volunteer

    replies with a threatening message

    If someone were reading them, you’d give them a nice laugh.

    Programs like my wp-login.php could become honeypots

    Sucuri, WordFence, iThemes, Jetpack (Automattic), and many other companies are running honeypots and collecting data from hundreds of thousands of real WP sites and using that data to secure WP sites that use their plugins and services.

    All it takes is the will to accomplish greatness.

    You’ve made my day. 🙂

    Moderator Samuel Wood (Otto)

    (@otto42)

    WordPress.org Admin

    Many plugins exist for this purpose which do it in a better way than making things more difficult for the user.

    Try the “Protect” module in Jetpack. It sends all login attempts to the WordPress.com systems, where they use that data to detect large botnets and block them. Data from all sites using it is used to analyse and detect these systems, rather than data from just your site.

    Disclaimer: I use WordPress on a daily basis, in addition to other web applications, such as MediaWiki and DokuWiki. I also create websites by hand using PHP, HTML, and CSS. I am also deeply concerned about web security.

    Also, perhaps someday WordPress itself might become more responsible in reducing the amount of malware that is distributed through it.

    This, however, would mean abandoning the open source model.

    There is a lot that WordPress itself could do to put the malware purveyors out of business, or just to block them from posting viruses.

    I’m not really sure how this is WordPress’s responsibility, or even within its capabilities. If someone malicious finds an open backdoor on your non-WP site, and uses that to attack my sites, do I blame the malicious someone or do I blame you for having an open backdoor? If you install a script on your website that doesn’t get updated for years, and someone uses it to attack my site, do I blame the person who wrote the script, or do I blame you for having it on your site? If I publish a book, and somebody violates my copyright by making a photocopy of it, do I blame the person who made the photocopy or the company that made the photocopier?

    What can we learn from this? My insight is that wp-login.php allows malicious visitors to probe for weak passwords and unprotected pages.

    I entirely disagree. WordPress actually encourages users to use strong passwords. WordPress is highly concerned about security. There is an entire page about how to make WordPress more secure. The idea that WordPress “allows” behaviour of this sort is not supported by the facts.

    I’ve written a program called wp-login.php to put on my websites (none of which run WordPress). This program keeps a record of each caller and replies with a threatening message.

    I thought this was actually hilarious, until I actually visited this page and got these results:

    *** Notice: [IP redacted] has been detected and logged as a malicious user. ***
    Further probing by you runs the risk of stepped legal actions against you, your IP Provider, and your Domain Registrar.

    This is notice #1 for [IP redacted], recorded at 1/3/18 8:40PM EST.

    So you put a page up on your website, accuse people who visit that page of “probing” and threaten them with stepped [up] legal actions? Again, this is not how the internet or the world wide web works. (And I doubt you would get far with attempted legal action against my I[S]P provider or my domain registrar, who, I am sure, has nothing to do with my visiting your website.) I really think you need to reconsider your idea about how web security functions.

    I think part of this problem is in your assumption that anyone looking for wp-login.php is automatically a malicious user. There are plenty of websites that have very legitimate reasons for looking for that file. (Sucuri is one of them.) I understand that this “probing” costs you some bandwidth, but if you are going to host a website these days, that is simply part of the CODB.

    Let’s all do what we can to prevent the spread of viruses, worms, and data hostage threats.

    Hear, hear!

    I would go so far as to suggest that your website would actually be more secure if it were hosted on WordPress, which has an active community of developers and supporters behind it. If you code your site yourself, or use something like DreamWeaver, you don’t have the option of a wide community of supportive, knowledgeable people willing to help you out with security and other issues. What you view as a weakness, I definitely view as a strength. Indeed, I’ve been able to take what I’ve learned from working with WordPress and the WordPress community and apply it to other applications, including websites I code by hand.

    I urge you to join us. We’re not the dark side, but we do have cookies!

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘Let’s plug up #1 way that viruses spread: wp-login.php’ is closed to new replies.