Home › Forums › BulletProof Security Free › Global brute force attack on WordPress sites
- This topic has 9 replies, 4 voices, and was last updated 2 days, 10 hours ago by Abbas Khan.
-
AuthorPosts
-
silas88Participant
FYI There is a large brute force attack ongoing, my own hosting provider is locking out wp admin access while they sort things out. For examples see here, http://www.inmotionhosting.com/support/news/general/wp-login-brute-force-attack and here http://www.mnxsolutions.com/apache/blocking-wordpress-brute-force-attacks-against-wp-login-php.html
AITpro AdminKeymasterHmm that would explain the extremely high number of PHP Errors that I have been seeing/logging on the AITpro.com sites. A lot of these php errors are being caused by Database connectivity issues. ie the WordPress/Server DB connection is temporarily overloaded with requests, etc.
HostGator
http://blog.hostgator.com/2013/04/11/global-wordpress-brute-force-flood/“…we have seen over 90,000 IP addresses involved in this attack.”
“…The main force of this attack began last week, then slightly died off, before picking back up again yesterday morning. No one knows when it will end. The symptoms of this attack are a very slow backend on your WordPress site, or an inability to log in. In some instances your site could even intermittently go down for short periods.”
“…Again, this is a global issue affecting all web hosts. Any further information we could provide at this moment would be purely speculation. Our hope is that this attack ends soon, but it is a reminder that we must all take account security very seriously.”
AITpro AdminKeymasterGo Daddy
http://support.godaddy.com/system-alerts/“Web Hosting April 12, 2013 at 7:35 AM
We are aware of an ongoing, industry-wide attack attempting to gain access to customers’ websites. While we mitigate it, you might not have access to admin pages for Joomla! or WordPress. Your site, however, will remain online. To keep your site and your information secure, we recommend changing your password when you regain access to your site. You can read about password best practices at x.co/strongpass. We’ll post any updates here.”“Web Hosting April 11, 2013 at 11:06 AM
We continue to mitigate the Internet-wide attack, but customers should be able to access their admin pages. If you need to strengthen your password, we recommend referring to x.co/strongpass for guidance. Thanks for your patience.We are aware of an ongoing, industry-wide attack attempting to gain access to customers’ websites. While we mitigate it, you might not have access to admin pages for Joomla! or WordPress. Your site, however, will remain online. To keep your site and your information secure, we recommend changing your password when you regain access to your site. You can read about password best practices at x.co/strongpass. We’ll post any updates here.”“Web Hosting, Hosting April 10, 2013 at 10:59 AM
Some Linux Web Hosting customers are experiencing intermittent connectivity to their sites. Our team is investigating. Thanks for your patience.”silas88ParticipantOption 2 below seems simple and clever
http://forum.arvixe.com/smf/servernetwork-status/wordpress-wp-login-php-brute-force-attack/“While keeping our service stable remains a primary concern, we cannot keep wp-logins locked down endlessly. There are a few ways going around to get back and online. The method we are recommending —-
Option #1
Login to your account and enable CloudFlare. Cloudflare is explained here: http://blog.arvixe.com/what-is-cloudflare/ And can be setup using this: http://blog.arvixe.com/how-to-setup-cloudflare-on-your-arvixe-account/. Once done and after an hour or two for propagation, we can safe-list your specific domain which has been placed behind Cloudflare from our Mod_security rule which will then restore access to your domain, and your traffic will begin to be scrubbed by CloudFlare.Option #2
This is an unconfirmed and unsupported way, but we have received feedback from a couple customers that it worked for them so we decided to share it: Go to you cpanel and find your website files Rename wp-login.php to login2.php Edit login2.php – Find and replace wp-login.php by login2.php Now you can go to administration”silas88ParticipantI just realized that the major disadvantage with option 2 above (rename and edit wp-login.php) is that updating WordPress won’t be straightforward. There are a few alternative methods being recommended and I wonder which method (not necessarily one of these) you think would be best?
RewriteEngine on RewriteCond %{REQUEST_URI} ^/wp-login\.php(.*)$ [OR] RewriteCond %{REQUEST_URI} ^/wp-admin$ RewriteCond %{REMOTE_ADDR} !^123\.123\.123\.123$ RewriteRule ^(.*)$ – [R=403,L] or Order deny, allow Deny from all Allow from 11.222.333.44 Satisfy Any ErrorDocument 403 "Forbidden"` </Files> or RewriteEngine on RewriteCond %{REQUEST_METHOD} POST RewriteCond %{HTTP_REFERER} !^http://(.*)?.example.com [NC] RewriteCond %{REQUEST_URI} ^/wp-login\.php(.*)$ [OR] RewriteCond %{REQUEST_URI} ^/wp-admin$ RewriteRule ^(.*)$ - [R=403,L]
AITpro AdminKeymasterI think these methods are probably not really necessary if you have created a secure WordPress password and have login protection that locks accounts after X failed attempts. If you did want to pursue dealing with just the large number of login attempts themselves then the smart approach would be to redirect them by doing something like this. create a query string for your login:
wp-login.php?mysecretstring=goawaydummies
. if your custom query string was not entered and the standard login URL/String was entered without your custom query string then redirect them to google.comTomParticipantif your custom query string was not entered and the standard login URL/String was entered without your custom query string then redirect them to google.com
How exactly do you do this?
AITpro AdminKeymasterThere is a WordPress plugin that already does this at the php level. It is called – Stealth Login Page.
TomParticipantI just tested this plugin with BPS Pro enabled and it worked great. Thanks!
Abbas KhanParticipantHmm! Nice discussion bro.
I have visited here to provide information about Gracie Bon<span data-sheets-root=”1″> net worth. She is really beautiful and looks amazing.</span> -
AuthorPosts
- You must be logged in to reply to this topic.