Title: WordPress site under attack Last modified: August 30, 2016 --- # WordPress site under attack * [Scott Paterson](https://wordpress.org/support/users/scottpaterson/) * (@scottpaterson) * [10 years, 10 months ago](https://wordpress.org/support/topic/wordpress-site-under-attack/) * I have a WordPress site that is under attack. * I am using the limit login attempts plugin. So I get an email for every failed attempt. I have had about 30 attempts today each one using a different IP, about 30 mins apart (as my plugin is blocking that IP on a failed attempt). * I am using nginx and have made /wp-admin hidden so it returns forbidden. * I have also changed wp-login.php to wp-login.php_somethinghere * But for some reason its not stopping the attempts. My guess is that the hacker must be using a proxy server and posting directly to a file but which one? Any ideas? * Thanks! * IP list so far in case it helps in some way: 118.233.70.30 180.59.50.128 39.32.199.149 79.145.164.4 167.114.65.164 77.69.112.109 46.121.15.5 158.58.234.54 213.10.32.143 175.156.93.187 188.129.70.61 197.33.38.181 88.101.96.99 94.230.84.105 79.177.108.110 103.17.100.19 210.186.202.223 154.73.58.75 84.50.17.141 161.0.114.2 84.117.177.188 79.118.2.76 191.112.79.22 79.175.76.39 186.188.59.171 178.164.239.156 62.113.0.40 41.104.65.205 188.247.74.185 62.201.234.172 105.236.232.213 46.120.162.182 190.163.215.166 75.185.243.125 121.54.47.162 39.7.55.179 77.196.18.14 Viewing 10 replies - 16 through 25 (of 25 total) [←](https://wordpress.org/support/topic/wordpress-site-under-attack/?output_format=md) [1](https://wordpress.org/support/topic/wordpress-site-under-attack/?output_format=md) 2 * Thread Starter [Scott Paterson](https://wordpress.org/support/users/scottpaterson/) * (@scottpaterson) * [10 years, 10 months ago](https://wordpress.org/support/topic/wordpress-site-under-attack/page/2/#post-6329064) * [@andrew](https://wordpress.org/support/users/andrew/) – All I did was provide the URL to my site, I did not (and will not) allow anyone to login to the admin section of my website. * But I really appreciate and thank you for caring about this subject – other users may not be aware of the dangers of providing admin access. * Thanks, Scott * [Davler Labs](https://wordpress.org/support/users/davler-labs/) * (@davler-labs) * [10 years, 10 months ago](https://wordpress.org/support/topic/wordpress-site-under-attack/page/2/#post-6329066) * WP Community, [@andrew](https://wordpress.org/support/users/andrew/), and [@scott](https://wordpress.org/support/users/scott/), * Please allow me to take a moment to apologize if any offense was taken or if any rules have been broken. I assure you that only the best intentions were in place. * No access was requested, nor provided. In addition no requests for services above and beyond what is provided here on the forum was suggested. * Not everyone wishes for their information to be shared publicly, simply trying to respect that. Especially considering, it’s well known that bots scrape forums like these for potential targets. * Again, apologies for any issues. * Moderator [Jan Dembowski](https://wordpress.org/support/users/jdembowski/) * (@jdembowski) * Forum Moderator and Brute Squad * [10 years, 10 months ago](https://wordpress.org/support/topic/wordpress-site-under-attack/page/2/#post-6329072) * Side note and completely off topic: * Hi [@davler-labs](https://wordpress.org/support/users/davler-labs/) and welcome to the WordPress support forums. 😉 * First off, thanks for helping out Scott. These are support forums and you were providing free support on your own time. * > Not everyone wishes for their information to be shared publicly, simply trying > to respect that. Especially considering, it’s well known that bots scrape forums > like these for potential targets. * Yeah. No. * _*Drinks coffee, says coffee is good*_ * Here’s why the reaction was that way: there have been people who have used and continue to use these forums for harvesting work for cleaning up compromised sites. * _Please be aware, I am not doubting your good intentions!_ Honest. * These forums aren’t for picking up work, they’re for free volunteer support. It’s really discouraged when someone seeks contact outside of the forums because it has led to abuse in the past. At least two companies have earned lifetime bans for chasing users home and pestering them with paid support solicitations. * I repeat: I’m not doubting you and your intentions! But I just want to help you understand why moderators are cautious. * If someone needs help in these forums then they should be prepared to share non- sensitive data here. No one else should log in, take a look, etc. outside of these forums for someone else. That’s just not safe and as you’ve indicated there’s a lot of bad people out there. * If a person with a problem like that needs a greater level of support then they need to look elsewhere. That’s why you’ll see [http://jobs.wordpress.net/](http://jobs.wordpress.net/) referenced a lot. * If they’re willing and able to then there is often a lot of good support here. Users have been able to get themselves out of a jam with that good advice. * Now back to the regularly scheduled topic: Scott I’m glad it looks like this is working out for you. 😉 * Thread Starter [Scott Paterson](https://wordpress.org/support/users/scottpaterson/) * (@scottpaterson) * [10 years, 10 months ago](https://wordpress.org/support/topic/wordpress-site-under-attack/page/2/#post-6329080) * Update: * Changing wp-login.php to 600 permissions did not solve the problem. Since yesterday evening when I did that I have had about 40-50 login attempts (each still from a different IP) * Any idea what is going on or how to fix it? * Thanks, Scott * [Mark Ratledge](https://wordpress.org/support/users/songdogtech/) * (@songdogtech) * [10 years, 10 months ago](https://wordpress.org/support/topic/wordpress-site-under-attack/page/2/#post-6329084) * > Any idea what is going on…. * One or more people decided they don’t like you and have decided to hit your site with from random IPS with scripts to try and break in. * > …or how to fix it? * There’s really nothing you can do besides what you’ve done. * > Since yesterday evening when I did that I have had about 40-50 login attempts… * That’s actually a low number of attempts in comparison to some site logs I’ve seen. if you look at your raw 404 logs, you’ll be surprised at the amount of garbage/bot/hacker traffic to your site. That’s life on the Internet. * [Davler Labs](https://wordpress.org/support/users/davler-labs/) * (@davler-labs) * [10 years, 10 months ago](https://wordpress.org/support/topic/wordpress-site-under-attack/page/2/#post-6329088) * There are still a few options, unfortunately with brute-force attacks even once the targeted content is disabled or moved the requests are still being processed( just with errors this time around). It’s a big pain as you know since it begins to hog up bandwidth and resources. * Once you have exhausted the options typically used to mitigate/slow down these attacks such as disabling content, password protecting, limiting access to login by ip, deny by no referrer, modsec, fail2ban, proxying, and big powerful blocklists there are a few more options to use outside of blackhole routing (I’m sure you don’t want to do that). * Have you tried nginx’s limit req module? If not I’ll see about typing something up for you as our previous linking was frowned upon. * There is also a method that is likely also frowned upon here which I will not post to prevent further negative attention. But to give you an idea… the attacks lifespan is dependent on the size of a wordlist used or brute-force style chosen. Outside of waiting the attack out there are ways of thwarting the attack buy using a weakness in the bot’s willingness to accept certain responses to your advantage. * I’d suggest the limit req module approach however, so if you haven’t tried it then give it a quick google. you may very well be able to address this in a few minutes if the other options I posted a few paragraphs ago have been attempted unsuccessfully. * [leejosepho](https://wordpress.org/support/users/leejosepho/) * (@leejosepho) * [10 years, 10 months ago](https://wordpress.org/support/topic/wordpress-site-under-attack/page/2/#post-6329089) * Obscurity does not help and there is really little to be gained by baiting ‘bots. NinjaFirewall can stop some requests before they ever even reach WordPress, and I only ever see maybe a half-dozen bogus login attempts per week. * Thread Starter [Scott Paterson](https://wordpress.org/support/users/scottpaterson/) * (@scottpaterson) * [10 years, 10 months ago](https://wordpress.org/support/topic/wordpress-site-under-attack/page/2/#post-6329090) * [@songdogtech](https://wordpress.org/support/users/songdogtech/) Thanks. It would seems to, its a pretty popular website, so eventually someone is not going to like you. * [@leejosepho](https://wordpress.org/support/users/leejosepho/) Ill definitely check out NinjaFirewall, thanks! * I am a programmer and am curious about the technical details of how a bot/script/ person can attempt to post data to a PHP form (in this case wp-login.php) if the page is set to 600, so that Nginx returns a 403 Forbidden. Like, how is that even possible technically? * Yes, it might only be a few hundreds attempts per week but when you stretch that over years we are talking about hundreds or thousands of login attempts. Even with a good password, its a little unsettling. * Thanks, Scott * [Davler Labs](https://wordpress.org/support/users/davler-labs/) * (@davler-labs) * [10 years, 10 months ago](https://wordpress.org/support/topic/wordpress-site-under-attack/page/2/#post-6329092) * [@leejosepho](https://wordpress.org/support/users/leejosepho/) * Where did I suggest obscurity? I surely hope you are not confusing disabling of content or tightening up perms as obscurity. While security through obscurity is very well known to be an effort that shouldn’t be of primary focus, to say it does not help at all is rather shortsighted. * There is an entire industry focused around baiting attackers and their methods. Understanding that the majority of these automated attacks use extremely light wordlists is key. Often focus is shifted and combined with placeholders of mixalpha- numeric charsets that are generally minimal in length. Even when this is not the case, the limited dictionary attacks are easily fooled which send the bots on their way. * While you only see a half-dozen and Scott reported a recent 40-50, it’s not ( imho) so easily tossed aside. The use of a WAF is an extremely good call as well and given the attack vector, NinjaFirewall fits perfectly. I am not quite sure why your last posts have been negatively aimed at our responses but I do sincerely hope you begin having a better day. I couldn’t really figure out any other real reason as to why you would be so bitter towards us outside of a simple mistake that many have made (and many will continue to make). * [leejosepho](https://wordpress.org/support/users/leejosepho/) * (@leejosepho) * [10 years, 10 months ago](https://wordpress.org/support/topic/wordpress-site-under-attack/page/2/#post-6329095) * @Davler Labs: No bitterness here and I do not recall the last time I had a bad day! I sensed from the beginning if this thread exactly what I had said: * > Bolting a door closed [or hiding it or even removing it altogether or setting > up a false one] does not stop people from knocking, so I would guess you are > getting knock reports. * Progress has been made since that time, and everyone here has in one way or another contributed to the overall experience. Viewing 10 replies - 16 through 25 (of 25 total) [←](https://wordpress.org/support/topic/wordpress-site-under-attack/?output_format=md) [1](https://wordpress.org/support/topic/wordpress-site-under-attack/?output_format=md) 2 The topic ‘WordPress site under attack’ is closed to new replies. * In: [Fixing WordPress](https://wordpress.org/support/forum/how-to-and-troubleshooting/) * 25 replies * 8 participants * Last reply from: [leejosepho](https://wordpress.org/support/users/leejosepho/) * Last activity: [10 years, 10 months ago](https://wordpress.org/support/topic/wordpress-site-under-attack/page/2/#post-6329095) * Status: not resolved ## Topics ### Topics with no replies ### Non-support topics ### Resolved topics ### Unresolved topics ### All topics