Global brute force attack on WordPress sites

Home Forums BulletProof Security Free Global brute force attack on WordPress sites

This topic contains 8 replies, has 3 voices, and was last updated by  Tom 5 years ago.

Viewing 9 posts - 1 through 9 (of 9 total)
  • Author
    Posts
  • #4190

    silas88
    Participant

    FYI There is a large brute force attack ongoing, my own hosting provider is locking out wp admin access while they sort things out. For examples see here, http://www.inmotionhosting.com/support/news/general/wp-login-brute-force-attack and here http://www.mnxsolutions.com/apache/blocking-wordpress-brute-force-attacks-against-wp-login-php.html

    #4192

    AITpro Admin
    Keymaster

    Hmm that would explain the extremely high number of PHP Errors that I have been seeing/logging on the AITpro.com sites.  A lot of these php errors are being caused by Database connectivity issues.  ie the WordPress/Server DB connection is temporarily overloaded with requests, etc.

    HostGator
    http://blog.hostgator.com/2013/04/11/global-wordpress-brute-force-flood/

    “…we have seen over 90,000 IP addresses involved in this attack.”

    “…The main force of this attack began last week, then slightly died off, before picking back up again yesterday morning. No one knows when it will end. The symptoms of this attack are a very slow backend on your WordPress site, or an inability to log in. In some instances your site could even intermittently go down for short periods.”

    “…Again, this is a global issue affecting all web hosts. Any further information we could provide at this moment would be purely speculation. Our hope is that this attack ends soon, but it is a reminder that we must all take account security very seriously.”

    #4210

    AITpro Admin
    Keymaster

    Go Daddy
    http://support.godaddy.com/system-alerts/

    “Web Hosting April 12, 2013 at 7:35 AM
    We are aware of an ongoing, industry-wide attack attempting to gain access to customers’ websites. While we mitigate it, you might not have access to admin pages for Joomla! or WordPress. Your site, however, will remain online. To keep your site and your information secure, we recommend changing your password when you regain access to your site. You can read about password best practices at x.co/strongpass. We’ll post any updates here.”

    “Web Hosting April 11, 2013 at 11:06 AM
    We continue to mitigate the Internet-wide attack, but customers should be able to access their admin pages. If you need to strengthen your password, we recommend referring to x.co/strongpass for guidance. Thanks for your patience.We are aware of an ongoing, industry-wide attack attempting to gain access to customers’ websites. While we mitigate it, you might not have access to admin pages for Joomla! or WordPress. Your site, however, will remain online. To keep your site and your information secure, we recommend changing your password when you regain access to your site. You can read about password best practices at x.co/strongpass. We’ll post any updates here.”

    “Web Hosting, Hosting April 10, 2013 at 10:59 AM
    Some Linux Web Hosting customers are experiencing intermittent connectivity to their sites. Our team is investigating. Thanks for your patience.”

    #4243

    silas88
    Participant

    Option 2 below seems simple and clever
    http://forum.arvixe.com/smf/servernetwork-status/wordpress-wp-login-php-brute-force-attack/

    “While keeping our service stable remains a primary concern, we cannot keep wp-logins locked down endlessly. There are a few ways going around to get back and online. The method we are recommending —-

    Option #1
    Login to your account and enable CloudFlare. Cloudflare is explained here: http://blog.arvixe.com/what-is-cloudflare/ And can be setup using this: http://blog.arvixe.com/how-to-setup-cloudflare-on-your-arvixe-account/. Once done and after an hour or two for propagation, we can safe-list your specific domain which has been placed behind Cloudflare from our Mod_security rule which will then restore access to your domain, and your traffic will begin to be scrubbed by CloudFlare.

    Option #2
    This is an unconfirmed and unsupported way, but we have received feedback from a couple customers that it worked for them so we decided to share it: Go to you cpanel and find your website files Rename wp-login.php to login2.php Edit login2.php – Find and replace wp-login.php by login2.php Now you can go to administration”

    #4262

    silas88
    Participant

    I just realized that the major disadvantage with option 2 above (rename and edit wp-login.php) is that updating WordPress won’t be straightforward. There are a few alternative methods being recommended and I wonder which method (not necessarily one of these) you think would be best?

    RewriteEngine on
    RewriteCond %{REQUEST_URI} ^/wp-login\.php(.*)$ [OR]
    RewriteCond %{REQUEST_URI} ^/wp-admin$
    RewriteCond %{REMOTE_ADDR} !^123\.123\.123\.123$
    RewriteRule ^(.*)$ – [R=403,L]
    
    or
    
    Order deny, allow
    Deny from all
    Allow from 11.222.333.44
    Satisfy Any
    ErrorDocument 403 "Forbidden"`
    </Files>
    
    or
    
    RewriteEngine on
    RewriteCond %{REQUEST_METHOD} POST
    RewriteCond %{HTTP_REFERER} !^http://(.*)?.example.com [NC]
    RewriteCond %{REQUEST_URI} ^/wp-login\.php(.*)$ [OR]
    RewriteCond %{REQUEST_URI} ^/wp-admin$
    RewriteRule ^(.*)$ - [R=403,L]
    #4265

    AITpro Admin
    Keymaster

    I think these methods are probably not really necessary if you have created a secure WordPress password and have login protection that locks accounts after X failed attempts. If you did want to pursue dealing with just the large number of login attempts themselves then the smart approach would be to redirect them by doing something like this. create a query string for your login: wp-login.php?mysecretstring=goawaydummies. if your custom query string was not entered and the standard login URL/String was entered without your custom query string then redirect them to google.com

    #4692

    Tom
    Participant

    if your custom query string was not entered and the standard login URL/String was entered without your custom query string then redirect them to google.com

    How exactly do you do this?

    #4697

    AITpro Admin
    Keymaster

    There is a WordPress plugin that already does this at the php level.  It is called – Stealth Login Page.

    #4712

    Tom
    Participant

    I just tested this plugin with BPS Pro enabled and it worked great. Thanks!

Viewing 9 posts - 1 through 9 (of 9 total)

You must be logged in to reply to this topic.