WordPress.org

Ready to get started?Download WordPress

Forums

How to STOP attack ?? As we speak..... (17 posts)

  1. paulalford
    Member
    Posted 7 months ago #

    I am receiving a ton of login attempts all from spam IPs and 78 so far and counting. They keep coming. For the last 10 minutes, 5-10 more every few minutes. What in the world is going on ?? This has to be an attack from someone.

    I do notice they are all ADMIN attempts. Good thing there is no "admin".

    How do I stop it ? and prevent it from happening again ?

    Help !!!

    Paul

  2. Andrew Nevins
    Barrel Rider, Spam Zapper & Volunteer Moderator
    Posted 7 months ago #

    To effectively prevent this your hosting providers need to act on it. Have you spoke to them?

  3. WPyogi
    Volunteer Moderator
    Posted 7 months ago #

  4. AmyKozak
    Member
    Posted 7 months ago #

    you can always add sucuri to your site (sucuri.net)

    I have limit logins plugin on both of my sites and see attempts at logging in as you mentioned above regularly - the best prevention is having a combo of a good strong user name and a very strong password with numbers, characters, etc as mentioned in post link above

  5. leejosepho
    Member
    Posted 7 months ago #

    If you are logged in and you also have FTP access, you can change the permissions of the wp-admin folder to zeros and stop all login attempts instantly and completely while still keeping your site visible...and then just put those permissions back to what they were whenever you are ready such as after adding reCaptcha to Login. Also, here is a neat piece of code that can help keep anyone at all from discovering your site's usernames:
    http://imperativeideas.com/wordpress-brute-force-protection-that-works/

  6. paulalford
    Member
    Posted 7 months ago #

    Thanks guys. This was a bit unnerving today. I do have login attempts set to 2, then lockout. I also don't have an "Admin" user AND I have super hard passwords. I also already have Sucuri installed and running. This brute force attack was the first I have seen/experienced. ALL of the 80 attempts (in span of 10 minutes) were from different IPs. That was the weirdest thing too. The IPs were from all over the world, at least when I searched some of them, that's what the Lookup said. I got the hosting company involved who changed some things (I am even too afraid to mention here). I think the attack actually came from a different forum (not this one), since I posted a question there, with my website link, and 5 minutes later...wham.

    Thanks for all your advice.
    Paul

  7. paulalford
    Member
    Posted 7 months ago #

    You know...I was just thinking...maybe I need to share this list of 80 attack IPs so the rest of you guys can add them to your IPDeny to save you from these same ones.

    I am happy to copy/paste them all here or wherever.
    Paul

  8. catacaustic
    Member
    Posted 7 months ago #

    There's really no point in that. The SPAM'ers/hackers that do these attacks work from either proxy servers, or from hacked sites, so blocking the IP's won't do much good because they'll just keep on sending them from any other IP they can get their hands on, which is a lot eaiser then it sounds.

    If you're only getting 80 attempts a day you're pretty lucky. I've got one site that averages 4-500 each day, and the highest that I've seen so far was a bit over 2,000. As long as you do what you've done (and congratulations on doing that!) you shouldn't have anything to worry about.

  9. leejosepho
    Member
    Posted 7 months ago #

    Here is what I had meant to pass along last night when I grabbed a different link:

    It seems everyone is advising people to install either Limit Login Attempts or a WordPress Security Plugin [for dealing with brute-force Login attempts]. DO NOT DO THIS. This will not only fail to block the attack, it could crash your server. These attacks come in too fast from too many IP addresses. Please follow this guide instead.

    Update 2: Matt Mullenweg, the creator of WordPress, has confirmed that plugins should NOT be used in this situation...
    http://calladeveloper.blogspot.com/2013/04/global-wordpress-brute-force-attacks.html

    # NOTE: Replace example.com below with your domain (leave the ?. before it and everything else)
    <IfModule mod_rewrite.c>
    RewriteEngine on
    RewriteCond %{REQUEST_METHOD} =POST
    RewriteCond %{HTTP_REFERER} !^http://(.*)?.example.com [NC]
    RewriteCond %{REQUEST_URI} ^/wp-login\.php(.*)$ [OR]
    RewriteCond %{REQUEST_URI} ^/wp-admin$
    RewriteRule ^(.*)$ - [R=403,L]
    </IfModule>
  10. Sigh. There ought to be a law... *Drinks more coffee*

    It seems everyone is advising people to install either Limit Login Attempts or a WordPress Security Plugin [for dealing with brute-force Login attempts]. DO NOT DO THIS. This will not only fail to block the attack, it could crash your server.

    Geez. Talk about being taken out of context. That's just plain incorrect and really bad pointless advice.

    tl;dr Please read and follow this link.

    http://codex.wordpress.org/Brute_Force_Attacks

    Longer version:

    Here's the referencing link http://thenextweb.com/insider/2013/04/13/brute-force-attacks-on-wordpress-continue-as-cloudflare-fends-off-60m-requests-in-1-hour/

    If you have numbers like 10,000+ IP addresses within 60 minutes then don't worry about a plugin or .htaccess fix. Unless your site is distributed (ala Cloudflare or other like services) and your hosting service is prepared to handle a DDoS then your site is dead.

    However if you are part of the other 99.999% of WordPress users (don't bother looking, I made that number up ;) ) then please use strong passwords, avoid default account names like admin and follow the advice on that Brute Force Attack article.

    If you want to add that .htaccess information then of course that's fine too. But recommending that people not use that plugin is just Not A Good Idea™.

  11. leejosepho
    Member
    Posted 7 months ago #

    That's just plain incorrect and really bad pointless advice.

    Please explain, if you will, and I ask to learn, not to argue!

  12. I'm sorry but that's not an argument and I was referring to the blog you linked to. I apologize if you think I meant you, I really didn't.

    Aside from good password/userid combinations if WordPress users install only one plugin then the Limit Login Attempts plugin would be a great choice.

    However that blog that you linked recommended not using the Limit Login Attempts plugin. That was clearly stated in this text from that article you posted. I've added emphasis on the text.

    UPDATE: It seems everyone is advising people to install either Limit Login Attempts or a WordPress Security Plugin. DO NOT DO THIS. This will not only fail to block the attack, it could crash your server. These attacks come in too fast from too many IP addresses. Please follow this guide instead.

    That's just not good advice for the majority of WordPress users. The Limit Login Attempts plugin does an admirable job of blocking repeated and notifying the WordPress owner of that site that "IP address w.x.y.z is blocked for too many failed login attempts".

    The other plugins on that list are not bad either. The catch is that many of the security plugins really require a better understanding of what they do.

    That Limit Login Attempts plugin is basically fire and forget. It just works and is effective.

    That said I also have to write this: there is no magic bullet solution for all use cases of brute force attack attempts.

    For example, if your WordPress installation is on a server with 500 other WordPress installations (it happens with shared hosting) then any brute force attack PHP processing will melt down your web host. In that even then the .htaccess solution may be more appropriate.

    But for most WordPress users just that plugin will be fine.

    I hope that explains what I meant more clearly.

  13. leejosepho
    Member
    Posted 7 months ago #

    I hope that explains what I meant more clearly.

    Yes, and neither had I meant any offense!

    Many thanks.

  14. paulalford
    Member
    Posted 7 months ago #

    lol, I love to see people being considerate and sensitive towards others.... ahhhh, good job guys !! We need more of that in the world !! Email is difficult to get a point across sometimes without getting misunderstood, even with techno/geek talk, etc.. Glad to see some people still have manners and think of others feelings. :) You made my day.

  15. leejosepho
    Member
    Posted 7 months ago #

    In reference to some code I had posted above, here is something I have received from a Developer after asking to learn:

    The code below is semi-effective. It checks to make sure the login post request comes from your site, and it issues a redirect if the request is not from your site. A hacker can still use a program to bypass this and post the page to itself, but this still keeps out any attacks I think you will encounter while also taking some of the "self-defense" pressure off your WordPress site.

    #### stop certain brute-force login attempts
    ### ref http://wordpress.org/support/topic/what-file-permissions-are-needed-while-editing?replies=9#post-4634814
    ## NOTE: Replace example.com below with your domain (leave the ?. before it and everything else)
    # add to .htaccess
    <IfModule mod_rewrite.c>
    RewriteEngine on
    RewriteCond %{REQUEST_METHOD} =POST
    RewriteCond %{HTTP_REFERER} !^http://(.*)?.example.com [NC]
    RewriteCond %{REQUEST_URI} ^/wp-login\.php(.*)$ [OR]
    RewriteCond %{REQUEST_URI} ^/wp-admin$
    RewriteRule ^(.*)$ - [R=403,L]
    </IfModule>
  16. dub mahadev
    Member
    Posted 7 months ago #

    this is a big problem i dont knowwhat to do really... worried about this server managers should stay awake all nite... some 5litter coffee jars... the wp community everyda more attacked:(

  17. catacaustic
    Member
    Posted 7 months ago #

    It's not a big problem if you take some of the advice that's been offered so far in this thread. There's a lot of good ideas that are pretty easy to implement and actually work. On top of that, and half-way decent server admin will be able to put systems and blocks in place to stop this so have a little faith in your server admins. They do that job for a reason.

    And it's not just WordPress that gets attacked - it's only that we hear about it more on here because this forum is dedicated to WordPress.

Reply

You must log in to post.

About this Topic

Tags

No tags yet.