Brute force attack on website

Hi community,

so I noticed our website doesn’t work anymore (loads eternally and then delivers a 504 Gateway Time-out message) and our hosting provider told me there has been (or there is) an attack on the site.

I believe it’s been going on for a week now.

I can’t access the WP admin panel in any way. I wanted to upload a backup, but the provider said it won’t change anything (and they were right, I tried it but nothing changed).

The provider says they could see an attack on xmlrpc.php. I deactivated it through .htaccess, but without success:

# BEGIN WordPress
# Die Anweisungen (Zeilen) zwischen ?BEGIN WordPress“ und ?END WordPress“ sind
# dynamisch generiert und sollten nur über WordPress-Filter ge?ndert werden.
# Alle ?nderungen an den Anweisungen zwischen diesen Markierungen werden überschrieben.
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>

# END WordPress

<Files "xmlrpc.php">
  Require all denied
</Files>

(the code before # END WordPress was already there and I didn’t touch it)

The provider also told me there is (or was) a brute force attack on the backend, and that I should hide the login page. They linked me to a plugin that does that, but the problem is that the site doesn’t work and I can’t access the admin area to even install a plugin.

Alright, so I figured out how I could install such a plugin through FTP and phpmyadmin, and I managed in fact to install the plugin “WPS Hide Login” and I even managed to activate it through phpmyadmin.

The problem now is: I don’t know how to make any changes to the plugin via phpmyadmin, which I will need to do because I will have to tell it where to move the login page to (I guess). However, I couldn’t find anything in phpmyadmin that contained the words “login”, “admin”, “wps”, “hide” or “redirect”. Perhaps someone is familiar with this plugin and how I select a new location for the login page?

The provider also told me it was the WAF (I guess web application firewall) that was under attack.

They also recommended me to install a .htpasswd to stop the attacks. I tried it, but it didn’t work. The problem here is that I’m unsure about the path. I tried using a PHP line that I put in the root folder to find out the root link, but the site doesn’t load, so that method didn’t work. I was told by the provider that the path I used was in fact correct, but I guess a “Internal server error” message, which, from what I’ve read, appears when the wrong path was used.

The provider also says that the error log states that the user I tried to login with through the .htpasswd does not exist. It was a random username I chose that I added to the .htpasswd file, so not sure how it can be wrong. It happens to be the same username that I use to get into the FTP. But I tried different usernames in the .htpasswd as well and it never worked.

It is becoming urgent now because my client is wondering what is happening. Does anyone have an idea what I could do? I’ve really become desperate at this point, to just fix this damn problem.

Thanks so much for reading!