May 2013
3rd
Just what do you think you are doing, Dave?
In the last two weeks I have been working on perfecting a patch for the wp-login.php page that will prevent a swarm of brute-force attacks from guessing your password or bringing down your server. When I first released this patch it was a bit overzealous and caused a few people to be temporarily locked out of their own blogs as their login attempts were incorrectly identified as brute-force attacks.
This patch of mine has also caused a small wave of paranoia because it displays the unconventional (and a possibly spooky) message “Just what do you think you are doing, Dave?“ whenever brute-force or too many failed logins is detected. This message is a quote from the movie 2001: A Space Odyssey. Even though I intended this message to bring out the humor of the situation, I also feel it is very relevant (unless your name is not Dave 
The linked response “Open the Pod bay doors, HAL!“ also a quote from the same movie and it’s just there to link you back to the login page should you wan to try to login again.
I have also received many inquiries as to why the wp-login.php file is flagged as an WP Login Exploit on every install of WordPress, even brand new installs of the most current version. This is simply because WordPress has no built-in brute-force protection and it’s login page is exploitable. It has been clearly demonstrated through the widespread attacks on login pages around the world as of late that it is not only vulnerable to password cracks via brute-force but it also has been shown to overload and bring down a whole server if the attacks are too numerous. That is why my patch also prevents the loading of the WordPress bootstrap if a brute-force attack is detected so that your server’s resources are not tied up just telling hackers if they guessed the right password or not.
I hope this helps answer your questions about this new threat and my approach to solving it. Feel free to leave a comment if I could do better explaining anything.
Aloha,
Posted in Updates by .
Apr 2013
17th
wide-spread brute force attack targets WordPress
Last week a large scale, brute-force attack started targeting the default WordPress login pages of sites around the world. A brute-force attack is when an automated program or script, sometimes called a bot, tries to guess your password by repeatedly attempting to log in with different passwords until it finds the right one.
This attack was effecting the performance and response time of many servers, causing them to be slow down, sometimes to the point when they could not serve any pages at all. I help someone with such an attack and found that the best way to stop the attack was to simply rename the wp-login.php page and replace it with a blank/empty page that the bots could hit all day without effecting your server’s performance. You would also need to change all the code in the wp-login.php file that refers to the old filename so that it refers to the new filename. This can be a bit tricky so I have created a little scrip for your server that makes this change for you.
#!/bin/bash
logins=`find /home/ -type f -name wp-login.php`
for login in $logins;do
if [ ! -f $login.new.php ];then
sed"s/wp-login\.php/wp-login.php.new.php/g"$login>$login.new.php
user=${login:6}
ulen=`expr index"$user"/`-1
chown ${user:0:$ulen}:${user:0:$ulen} $login.new.php
echo \<?php //login moved to $login.new.php>$login
echo moved $login to $login.new.php
fi
done
The best way to implement this code is to put it into a script file in your home directory and add the script file to your crontab to be run every hour, that way it will patch any new WordPress installations you add too. After the script executes you will not get a login page at wp-login.php any more, you will have to go to wp-login.php.new.php in your browser to login.
Hope this is helpful to people still getting hit by brute force attacks. Let me know how it works for you if you try it.
Aloha,
Posted in How To by .
Mar 2013
26th
Happy Birthday to GOTMLS Anti-Malware
Today is the official one-year anniversary of the first release of this plugin on the WordPress Plugin Repository. I feel really positive about how far this plugin has come in the last year. I am also very proud of how many people that my plugin has helped. I’ve got a lot of plans for improving this plugin so I want to thank those who have made a donation and ask all those who have not yet donated to contribute now. Donations to this project support me making time to work on it and make it better. So don’t just use it, support it!
Aloha,
Posted in Updates by .
Feb 2013
28th
How did your site get hacked?
Everyone who has had their site hacked wants to know how it happened. Unfortunately there are a lot of way to get hacked and no single method for stopping it. I created this plugin because of a vulnerability in timthumb.php that got widely exploited about a year ago. This very useful timthumb script had a weakness in the way it was written that allowed hackers to place any script on your site thereby enabling them to gain access to your files and spread their infection. A newer and stronger timthumb.php was release to stop this abuse and it is fairly simple to update this file to keep your site from being exploited in this way. One of the things my plugin will do is to find old timthumbs and update them.
But, of course, there are other ways for your server to get infected. Many people don’t realise that having their site on a hosting account with other site means sharing the vulnerabilities of all the other sites. Having your site on an isolated account, all by itself, can be a great improvement to your security. You will also need to make sure that your site up-to-date and has no vulnerabilities of it’s own. Make sure the plugins and themes you have installed are secure and well trusted.
A lot of people think that they need to change there FTP passwords. This is not a bad idea but it’s extremely unlikely that the a hacker is using your FTP account. Once a hacker has exploited a security hole in you website, hosting account, or server they will plant a script on your site to gain full access to your files. Then they don’t even need your FTP to inject more malicious code and spread their infection further.
Unfortunately it may be very time consuming and costly to figure out exactly how you got hacked, but stay vigilant and take any security measures you can to avoid being an easy target. With every step you take to secure your site you become harder to hack and less of a target.
Aloha,
Posted in How To by .
Jan 2013
3rd
Website blocked or blacklisted by Google?
Happy new year! I get questions about still being blacklisted after removing malware infections all the time so I figured I would share this to help people regain their reputation on the web.
If Google crawls your site and finds malicious code they will blacklist the site. Then Google will display a warning to users when they attempt to visit your pages from Google search results. Hopefully you are able to remove the malicious code (maybe by using this WordPress Plugin) but then you will also need to get Google to take down that warning and get you back on the search results.
You can check the status of any site on Google’s Safe Browsing Diagnostic page:
http://safebrowsing.clients.google.com/safebrowsing/diagnostic?site=http://gotmls.net
(replace “gotmls.net” with yout domain name at the end of that link 
If you see the following message at the top then this site has been blacklisted:
Site is listed as suspicious – visiting this web site may harm your computer.
You can wait for Google to crawl your site again and this warning may eventually go away, or… you can login to Google Webmaster Tools and “Request a review” on the “Malware” page under the “Health” section.
It usually doesn’t take more than a few hours and you can come back to that page to check on the status. Hope this help you all to a speedy recovery.
Aloha,
Posted in How To by .
Nov 2012
22nd
Best Buy Award for 2012 by reviewboard.com
This plugin was just reviewed by reviewboard.com and given 5 Stars and their Best Buy Award for 2012. This is a great honor and I really appreciate them spreading the word about my plugin. They also wrote a nice review on WordPress.org which you can do to if you would like to help.
Donations also help as I am constantly working hard to push out updates with improvements and new features. The more donations I get, the more time I can spend on it.
A big “Mahalo!” (thanks) to those that have already donated.
Aloha,
Posted in Updates by .
I released the new scan engine in version 1.2.10.05 today. This is the scan process that I’ve had available as a BETA for a couple months but it was not ready for release until now. It take longer because it breaks the scan into smaller processes that complete independently of the scan initiation process. This has a better success rate (especially on server with lots of files or minimal memory) and allows for better error handling.
So there are now two types of scans:
- Quick Scan – Good for small file systems, fast servers, or sites that have post restriction.
- Complete Scan – Good for large file systems, servers with irregular permission issues, or low memory allocation.
The Automatic Fix process and File Viewer have been improved too. It loads nicer now and you can move this new pop-up window around on the page .
Please give me feedback on these new features and scan options.
Aloha,
Posted in Updates by .
Sep 2012
21st
File Viewer and Fix Button Improvements
I just released an update that makes the file view easier to use and the Fix Threats process much faster. I also added back the feature to revert your changes if the Automatic Fix ended up breaking your site. There were also a few other minor bug fixes and error handling improvements.
Stay tuned for more improvements and new features coming soon.
Aloha,
Posted in Updates by .
I just released a new update that supports encoded definition update. This solves the issue of posting over-sized arrays to servers with post limitations. I also added a button to abort the scan and fix the infections already found. That way you can fix the threats that are found even if the scan process is not finished.
I am still working on a new scan engine that leverages JavaScript includes to distribute the scan job over multiple server processes. This is working well in the BETA version 1.2.07.30 but it does take a really long time on large scans.
I could also use some more donation … In the 5 months that this plugin has been in the WordPress Repository it has been downloaded over 12,000 times. I’ve had over 4,000 people register more than 5,000 sites on GOTMLS.NET and yet I’ve only received 141 donations (many of them are only one dollar, of which PayPal takes 34 cents in fees). Now, I’m not complaining. I am very grateful to those who have already made generous donations to support this project. I am just hoping to see a higher percentage of people who use my plugin contributing to it’s future. This is an ever-changing field and it is a lot of work to keep this program up-to-date and capable of removing the newest variants of infectious scripts.
As always, thanks for reading and thanks for your support, and don’t hesitate to contact me if you need help.
Aloha,
Posted in Updates by .
I have written a new scan engine to address the problem of hanging on large scans. This new process leverages dynamic JavaScript includes to break the scan job into smaller pieces that your server can handle more easily. For most people with the hanging scan problem this new version works great but I have seen one site with over 100,000 files where the heavy JavaScript caused the client’s browser to crash. So, this update is not for everyone. This plugin now has over 10,000 downloads and I don’t want to release a questionable update on so many people. I will continue to work on it for a future release but it will only be available upon request until I have it working better. If your scans are hanging up before reaching 100% then contact me and I’ll get you the BETA.
Keeping this plugin cutting-edge with new features and up-to-date with the latest definitions for removing new threats is a lot of work. Please make a donation to support my continued development and enhancement of this plugin.
Mahalo,
Posted in Updates by .
*All fields are required and I will NOT share your information with anyone.
Malware Protection
