So three days ago I setup a WordPress blog. It is the latest version, with only a few popular and up-to-date plugins. It has barely, if any, visitors because it’s so new. It has a VERY strong password (completely random combination of letters, numbers and special characters), but starting from this morning, Loginizer (brute force attack prevention plugin) started alerting me to several lockouts from IPs in different countries. According to the Loginizer dashboard, there has been over thirty login fails, none of which are me.

My first question is: Is this normal for WordPress sites, and is there a way to tell is my site is part of a botnet or something? I’ve run a virus scan, and it said there’s no malicious files.

Also, have any of your WordPress sites ever been infected or part of a botnet, and what happened and how did you deal with it?

Thanks.

Since a long time WordFence is on board – that plugin is of great assistance in the defense – the tracing of the attacks was clear to me the moment when it started – use to look at “Live Traffic” regular – there i saw the attacks on the login page came by – around 80% from Russia – a bot-net from several IP’s – probably zombie computers.

The attacker had found the right path to the login page – that worried me a bit – so i had to look at more ways to defend my WordPress site.

First i blocked each and every IP that came by – but i realized it should be a matter of time that the attack-script guessed the right password – although i have a save one with 20+ character.

Then the masking of the login page came along – a useful plugin that offers to masked the login under a fancy name (read URL) – resulted in a lot of 404’s – that made the blocking much easier – in the “Blocking” option of WordFence the “Page Not Found” filter did the job. The blocked IP’s still be blocked because there certainly will come another attack – signs that it will come are there already.

Of course i was attend not to block “Humans”

There maybe other ways to defend your website but when you not a techie like me this is perhaps a way to handle bot-net attacks

There was an error trying to send your message. Please try again later.

After some testing it doesn’t appear to actually send the email but Flamingo still records it in their records. Thus, our Flamingo has been slammed with spam recently. Can anyone confirm that this is an issue? If the devs need sites to test on feel free to slack me in WP @howdy_mcgee

Others may think of better strategies to thwart this attack vector. The authors will undoubtedly have suggestions- possibly a third level lockout formula, or alternate formulas?

The other concern is botnet attacks- if there are 10,000 attackers, 40 attacks from each is 400,000- still a trivial # if your pw has 10^20 possible combos, but much larger than 40 attacks from one IP.

https://www.ads-software.com/plugins/wordfence/

– I have no plugins
– I have no content
– Theme is wordpress default (twenty fifteen or similar

I tried to install some security plugins like WP Security but problem is not fixed.

I installed we super cache – but the problem is not fixed.

1. When I deinstall WordPress, cpu is going down. When I install wordpress on that domain, CPU is going up.

2. I have installed wordpress on other domains on the same server and have no problem.

3. When I install WordPress on subfolder (subfolder of this problematic domain) everithing is ok. But when I install on the domain root (not in subfolder) my cpu is going up.

What is the problem? I think that someone calling my site by robot. How can i analyze and prevent this problem?

I run into the problem that all my wordpress sites are attacked on my server by botnet. They do that pretty smart. Each time tries a botnet server / computer to login from an IP address and on failure the next computer in the botnet try this. That means that every attempt comes from a different IP address. For this so-called brute force attack to curb I have botnetblocker plugin installed.

The problem is that the plug-in closes off the sites the whole time and only the white-list ip-range can login. That makes it impossible to make a visitor-login or anything else that requires a login or registration on demand.

Is there a solution for this except open up the site for the brute-force attacks? De ip-range from the botnet is from all over the world. Asia / France / Russia and so on..

Best regards..

drDibbes

I’ve disabled /2192 now, and also renamed my wp-comments-post.php page to .bak for the time being. But I’m worried that this won’t be enough. Of course, I’ve had Akismet enabled for 6 years, but starting back in August 2013 I went from 6,000 blocked spam per month to 1.5 million a month. I left a screenshot of this here.

Anyone have any idea about what I can do about this? I don’t want to get shut off by 1and1.com (yes, I know there are better hosts out there but the hassle of migrating makes me leery.).

I’ve been using WP Better Security and for whatever reason one of the blogs I manage has been getting unusually HAMMERED for days and days, non-stop with brute-force attempts (mostly to ‘admin’ which there is no user). Setting the plugin to ban the IP after only 2 failed login attempts (sometimes even 1), I’ve now accumulated a list of IP’s to an obviously elaborate BOT-net. (I’ve got exactly 1938 IP’s…and growing…from the past couple weeks.) Each single IP accounts for DOZENS of login attempts, reflected in our endless server access logs for an otherwise low-traffic site.

Wish I would have had your BP plugin installed a couple weeks ago. Adding this data to your database would be highly beneficial for many others and surely put a damper on this activity for all who use your BP plugin.

That being said, is there a way I can contribute this priceless list of IP’s to your database to benefit others in the future?

-Mike

https://www.ads-software.com/extend/plugins/bruteprotect/

There are some suggestions out there for using mod_rewrite and checking referrer and/or IP address but they all have their drawbacks. (Just try getting it right with multi-siting, multiple users, and a CDN or two.)

Here’s what I did… I added the following to wp-fail2ban.php:

add_filter('authenticate',
                        function($user, $username, $password)
                        {
                                if ( preg_match('/^adm.*/i', $username) ) {
                                        openlog('wordpress('.$_SERVER['HTTP_HOST'].')',LOG_NDELAY|LOG_PID,LOG_AUTH);
                                        syslog(LOG_NOTICE,"Authentication failure for $username from {$_SERVER['REMOTE_ADDR']}");
                                        die;
                                } else {
                                        return $user;
                                }
                        }, 1, 3);

It’s admittedly just a hack. And it’s based on the fact that somewhere north of 99.9% of the attacks I’ve seen are aimed at the “admin” user and another .09% are aimed at users like ‘adminadmin’, ‘Administrator’, and ‘adm’. (Of course, I don’t have any valid admin users with obvious usernames like that, so this works for me.)

Maybe I should send back a 403 or something, but immediately dying works fine as these aren’t real users anyway.

The reason I modified wp-fail2ban.php rather than just add this as a separate plugin is because I still want to log the failures–I blacklist these IPs–and it seemed reasonable to do it all in one place.

https://www.ads-software.com/extend/plugins/wp-fail2ban/