This year the web server infrastructure for the college has changed – the servers, the software, and the way they are connected to each other is different than it had been previously. The impetus for the change began as an attack against our web server. Bad actors attempted to compromise WordPress by sending thousands of login requests to gain access to the administrative dashboard of our installation.
Since WordPress is one of the most popular content management systems, it is a big target for attack. One of the key features of WordPress is the ability to use plug-ins to extend the service and provide additional features or functionality. However, frequently these plugins may have vulnerabilities, which can open the system to attackers. If they successfully exploit a weakness in either WordPress or a plug-in, the bad guys could gain access to a system. Once inside, they could potentially disrupt the system for everyone.
The first approach to defend against the attack was to block the IP address of any computer attempting to login to the WordPress admin console from outside of the UF network. That method had been in place for some time, it was the first mitigation we put in place after the initial attack against our servers. That solution worked well, but after some time the volume of requests and the number of different IP addresses that were attacking us increased exponentially and the mitigation was no longer effective. We wound up playing a sustained game of whack-a-mole: as soon as one IP was blocked, another would attack would come from a different IP. The increase in the number of attempts we saw was over 5000%. That number is not a typo—5000%!
In the next step, we isolated the sites that were targets by moving those sites to their own server, which protected the rest of the group. That way, sites that were not currently being targeted for attack would continue to function efficiently. We also began to spread the individual requests to several different servers so that no single server would become overloaded.
The final step was to refine the overall system design and to update our servers to a more recent version of WordPress, version 6. This was a big undertaking due to the number of sites CLAS hosts and the potential for disrupting web service for our constituent sites and other stakeholders. We began moving sites from the old infrastructure to the new infrastructure at the end of the Spring 2022 semester and finished just before the start of the Fall 2022 semester. This migration has made it a busy summer for us, but the effort was worth it! We have a system that is more resilient and robust, better able to withstand attacks, and more responsive to the people browsing and maintaining the sites we host.