100s of brute force attacks

Can you please explain what exactly you mean by “hundreds of brute force attacks” ?

Wordfence only blocks attacks once they attempt to touch your website, it doesn’t somehow tell a guy in Russia to turn off his software (other than hinting to him that perhaps he could look elsewhere for an easier target). The hit on your server still happens. You can step up the chain by doing some blocking in your .htaccess file, or adjust settings of your server firewall. But when someone directs a bot to your website the hit is still going to happen at some point, and use a certain amount of bandwidth.

As in, is there a soft target that these attacks are directed at so that I can do something to reduce them.

I thought brute force attacks were directed at log-in pages or xml-rpc.php. So I’ve installed Wordfence, and WPS Hide Login so that no-one knows the login URL and yet I am still getting 100s of brute force attacks blocked per week.

So how can I find out where these attacks are directed? What are they trying to brute force?

The bots attack you because you are there, no other reason. You will always see hundreds of blocked attack attempts if you’ve set up much in the way of security software that reports. Most people don’t realize the attacks are happening all the time. MTN

Yes. My question is WHAT is being attacked.

There are thousands of attack vectors in WordPress and plugins. The bots are set up to attack those. That’s what is being attacked. The idea is it costs nearly nothing to unleash a bot that roams around the internet looking at websites, probing for vulnerabilities via known attack vectors. It’s like a criminal wandering the streets, shaking padlocks.

It’s not that tough to “block” most attacks, what’s impossible is to 100% reduced the cost in bandwidth. And to add pain, know that your friendly web host is actually making a good part of their money by selling you the bandwidth you need for the bots! It’s a terrible situation and constantly getting worse.

Thanks to Wordence and other measures, most attacks are not successful in terms of breaching a website, but they still use bandwidth.

Yes, I understand all of that, hence the big long list of attacks that WF protects against.

What I’m asking is: my understanding of brute force attacks is that someone/a bot is trying to guess the password of something. But if they can’t access the log-in page or xml-rpc, how is this happening? There aren’t thousands of places to enter a password for WordPress.

Hmmm, not sure of exact answer, but again, the bot can attack all it wants, if it can’t find the login page it still attacks. If you’re seeing that the bot actually accessed the login form and filled in a bad username or password guess, and you think you’re defended against that in a way that’s supposed to block access to the login form, then yes there is something wrong with your setup. I can say that because I also use WPS Hide Login as well as strict login protection settings in Wordfence that tell me right away if there is a failed login attempt. I see _no_ failed login attempts other than the occasional mistake by an admin who knows the secret URL and can get there.

By the way, if you don’t particularly need xml-rpc, disable at least temporarily for troubleshooting. Me, I leave it permanently nixed (both by deleting xml-rpc.php and using a plugin), it’s a major criminal attractor.

Try putting this stuff in your “Immediately Block URLs” in Wordfence Options, it’ll catch a few of the login-registration bots and give you a picture of what’s going on. (When experimenting, remember to whitelist your own IP).

/wp-login
/*/wp-login
/*/wp-login.php
/*/*/wp-login.php
/wp-login.php*
/login.html
/login
/author/*//wp-login.php
/*/*login=go%21&H=
/*/*/*login=go%21&H=
/register/
/register.php
/*/register
/*/component/user/register
/component/user/register
/login-register.html
/?q=user/register
/?q=user%2Fregister

Thanks, I’ll give it a go as well. But all of those URLs ‘should’ lead to a 404 error not a page where anyone can try logging in to something…

Hello Reppie, the idea is this is a component of overall defense strategy. Many of the bots attempt to register-login using various different URLs, by placing those URLs in Wordfence to immediately block, you end up blocking them with Wordfence rather than their hit simply causing dozens if not hundreds of 404s as they bang away on things and possibly find a vulnerability, as well as our being able to research and visualize what’s happening, and proceed with various measures.

I keep a list of about 200 URLs in the Wordfence “Immediately Block” dialog. I also set all my Wordfence blocking to 48 hours or more.

Other things I do, occasionally if I see an attack url being used excessive times, I put it in my .htaccess, with a rule causing it to return an error 403, and if I see a recurring IP number that seems to not quit, I put it in my server firewall, though doing that is usually a waste of time.

There are indeed different ways of going about all this, depending on your view of how bots react to various website errors. I’m no expert, just trying to help here as the cyber criminals have taken months out of my life and I think we all need to band together and fight them.

A combination of disabling xml-rpc.php, hiding the log-in, throttling and adding that block list has brought attack volume right down ??

Good to hear! In my case, by fine tuning Wordfence, as well as optimizing website loading bandwidth and other things like the login hide, I’ve reduced my bandwidth to the point where I saved about $500 a year in hosting cost. But it’s still a ridiculous amount of work. Ever onward. MTN