New cyber attack against WordPress, Joomla, Drupal, and other web applications

Date: April 14th, 2013

There is a new global brute-force attack on against ALL – WordPress, Joomla, and Drupal sites across the entire web hosting industry. All major, small, large, medium, hosting companies, and their clients are being impacted. This is by far one of the LARGEST and very effective Cyber Attacks in recent days.

The attack is distributed, and we have seen so far over 250,000 (and counting) IPs used to attack WordPress, Joomla, Drupal, and other web applications. The attack is targeting mostly the administration area of all popular free applications.

We urgently advise you that you change all of your Administrative access for any hosted WordPress / Joomla / Drupal applications you may have. We have a separate article that focuses on selecting a strong password which you can review here:

Generally speaking a secure password consist of: upper AND lowercase letters, at least eight characters long, and including special characters such as (^%$#&@*).

If you do NOT change your password – the chance of your account getting compromised is very high!

If you are a Reseller, have a VPS or Cloud server with us and hosting other clients – we advise you that you immediately notify your clients regarding this attack and advise them to secure their passwords.

In addition to change your password we advise that you read the following articles:

1) Brute force attacks – security essentials:

2) WordPress – security tips:

3) Joomla – security tips:

We suspect that this attack has been developing for some time and have peaked just this past week. The obvious symptoms of this attack are a very slow administration panel on your WordPress, Joomla, Drupal site or an inability to log in at all.  In some instances your site could even intermittently go down for short periods of time. If you are using a VPS or Dedicated server – you may see high load averages and delays in accessing your server.

We have already taken several measures to mitigate this attack throughout our data center,  but with the scale of this attack we urgently require all of our clients to take the necessary steps – since the distributed nature of the attack makes it hard to isolate/prevent from moving forward. If the attack continues to grow, and mature we maybe forced to take additional actions such as temporary limiting access to WP/Joomla/Drupal administration pages.

For any VPS or Dedicated server clients hosting WP/Joomla/Drupal sites and experiencing high load or slow server connection we can provide you with further assistance by implementing additional global restriction rules on your server. This may not be ideal solution however if you are under an attack that will be a required measure. Please contact us via normal support channels for further assistance.

We will be updating this blog post with any additional information, and TIPS as we monitor the progression of the attack and develop new mitigation solutions.

We want to emphasize that this is a global attack and all web hosts are currently being impacted. There is currently no immediate or easy fix against this attack.  Rest assured we are working around the clock to make sure that we are on top of any new developments.

UPDATE1: We have included a new blog post showing how to protect your “wp-login” page in cPanel via .htaccess file:

UPDATE2: You can check our blog post on how to protect your “wp-login” page in WebsitePanel

UPDATE3: For our customer with Linux VPS and Plesk as control panel, we have created a blog post on how to protect your “wp-login” page


MH Support Team.


One Response to “New cyber attack against WordPress, Joomla, Drupal, and other web applications”

  1. Mochahost Says:

    UPDATE1: We have included a new blog post showing how to protect your “wp-login” page in cPanel via .htaccess file:

    We highly recommend that anyone that has an account with cPanel follow these steps. We are working on creating similar tutorial for Plesk users and WebSitePanel users.

Leave a Reply

You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.