Brute force attack? How to protect?

  • utnalove

    (@utnalove)


    10 years, 7 months ago

    Hi the following is the message I’ve received from my hosting provider admin:

    =============
    I found that your account was under a brute force attack and had to edit your wp-login.php file to exit before it loads all its libraries to avoid your account to abuse its resources. This could be part of the issues you’re facing and you need to find a way to protect your blog from that type of attacks, please see below the processes that were running earlier:

    accountusername 46219 5.6 0.2 285060 68264 ? R 15:02 0:00 lsphp:accountusername/public_html/wp-admin/media-upload.php
    accountusername 46238 6.0 0.1 258948 43464 ? R 15:02 0:00 lsphp:/home/accountusername/public_html/wp-login.php
    accountusername 46248 5.4 0.1 282948 64600 ? S 15:02 0:00 lsphp:/home/accountusername/public_html/index.php
    accountusername 46254 6.3 0.1 278648 62396 ? R 15:02 0:00 lsphp:/home/accountusername/public_html/wp-login.php
    accountusername 46350 5.6 0.1 265664 48824 ? R 15:02 0:00 lsphp:/home/accountusername/public_html/wp-login.php
    accountusername 46351 7.0 0.1 264624 47788 ? R 15:02 0:00 lsphp:/home/accountusername/public_html/wp-login.php
    accountusername 46352 6.7 0.1 264868 48044 ? R 15:02 0:00 lsphp:/home/accountusername/public_html/wp-login.php
    accountusername 46361 6.5 0.1 262612 45572 ? R 15:02 0:00 lsphp:/home/accountusername/public_html/wp-login.php
    accountusername 46363 6.2 0.1 261516 44532 ? R 15:02 0:00 lsphp:/home/accountusername/public_html/wp-login.php
    accountusername 46372 6.6 0.1 255672 38564 ? R 15:02 0:00 lsphp:/home/accountusername/public_html/wp-login.php
    accountusername 46387 5.0 0.0 239940 23128 ? R 15:02 0:00 lsphp:/home/accountusername/public_html/wp-login.php
    accountusername 46391 5.5 0.0 240376 23300 ? R 15:02 0:00 lsphp:/home/accountusername/public_html/wp-login.php
    accountusername 46405 5.0 0.0 239204 22148 ? R 15:02 0:00 lsphp:/home/accountusername/public_html/wp-login.php
    accountusername 46421 5.0 0.0 233004 15656 ? R 15:02 0:00 lsphp:/home/accountusername/public_html/wp-login.php
    accountusername 46431 2.0 0.0 229280 11712 ? R 15:02 0:00 lsphp
    accountusername 46432 2.0 0.0 228492 10988 ? R 15:02 0:00 lsphp
    ===========================

    Does anybody know what needs to be done in this case?
    Is it a bug of WP?

Viewing 8 replies - 1 through 8 (of 8 total)
  • esmi

    (@esmi)

    10 years, 7 months ago

    I’d suggest reviewing http://wordpress.org/support/topic/brute-force-attacks-and-wordpress and Brute Force Attacks.

    Thread Starter utnalove

    (@utnalove)

    10 years, 7 months ago

    Thank you.
    I can see the admin added

    exit;

    just in the 2nd line of wp-login.php.

    I don’t understand the following:

    If you decide to lock down wp-login.php or wp-admin, you may find you get a 404 or 401 error when accessing those pages. To avoid that, you will need to add the following to your .htaccess file.

ErrorDocument 401 default
You can have the 401 point to 401.html, but the point is to aim it at not WordPress.

    I see now the wp-login is locked down. But I see a blank page if I try to login. I don’t get any 4** error.

    Should I add

    ErrorDocument 401 default

    to the .htaccess? What does it do?

    leejosepho

    (@leejosepho)

    10 years, 7 months ago

    Here is a security jump-start you might add at the end of your .htaccess file:

    # stop direct automated login attempts
# http://calladeveloper.blogspot.com/2013/04/global-wordpress-brute-force-attacks.html
# NOTE: Replace example.com below with your domain (leave the ?. before it and everything else)
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_METHOD} =POST
RewriteCond %{HTTP_REFERER} !^http://(.*)?.example.com [NC]
RewriteCond %{REQUEST_URI} ^/wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^/wp-admin$
RewriteRule ^(.*)$ - [R=403,L]
</IfModule>
# stop username (author) scans
# http://imperativeideas.com/wordpress-brute-force-protection-that-works/
# BEGIN block author scans
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteCond %{QUERY_STRING} (author=\d+) [NC]
RewriteRule .* - [F]
</IfModule>
# END block author scans

    note: Be sure to put your own site in at example.com above!

    Thread Starter utnalove

    (@utnalove)

    10 years, 7 months ago

    This is what I just added. How does it differ from the above?

    # Stop spam attack logins and comments
<IfModule mod_rewrite.c>
	RewriteEngine On
	RewriteCond %{REQUEST_METHOD} POST
	RewriteCond %{REQUEST_URI} .(wp-comments-post|wp-login)\.php*
	RewriteCond %{HTTP_REFERER} !.*mysite.com.* [OR]
	RewriteCond %{HTTP_USER_AGENT} ^$
	RewriteRule (.*) http://%{REMOTE_ADDR}/$ [R=301,L]
</ifModule>
    leejosepho

    (@leejosepho)

    10 years, 7 months ago

    Are you asking about function or possible errors?
    http://www.diffchecker.com/

    I only know how to copy-and-paste and fill in a few blanks!

    Thread Starter utnalove

    (@utnalove)

    10 years, 7 months ago

    I have used that code from the link that esmi provided.
    I can see it is very similar to the one you posted.

    <IfModule mod_rewrite.c>
	RewriteEngine On
	RewriteCond %{REQUEST_METHOD} POST
	RewriteCond %{REQUEST_URI} .(wp-comments-post|wp-login)\.php*
	RewriteCond %{HTTP_REFERER} !.*mysite.com.* [OR]
	RewriteCond %{HTTP_USER_AGENT} ^$
	RewriteRule (.*) http://%{REMOTE_ADDR}/$ [R=301,L]
</ifModule>

    is very similar to

    <IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_METHOD} =POST
RewriteCond %{HTTP_REFERER} !^http://(.*)?.example.com [NC]
RewriteCond %{REQUEST_URI} ^/wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^/wp-admin$
RewriteRule ^(.*)$ - [R=403,L]
</IfModule>

    I do see the difference in the code (eg. the = before POST, the REQUEST_URI in different lines, the additional [NC] stuff, and the last line – the rewriterule are different.

    I don’t know the meaning. Which one is better? What’s the difference between the two?

    leejosepho

    (@leejosepho)

    10 years, 7 months ago

    I do not know all the differences, I just know my bandwidth usage has dropped dramatically since adding what I have posted. And of course, be sure to replace mysite and com with whatever is correct for your site.

    Thread Starter utnalove

    (@utnalove)

    10 years, 7 months ago

    Thank you.

Viewing 8 replies - 1 through 8 (of 8 total)
  • The topic ‘Brute force attack? How to protect?’ is closed to new replies.