Botnet attacks and login on demand visitors

  • Hoi,

    I run into the problem that all my wordpress sites are attacked on my server by botnet. They do that pretty smart. Each time tries a botnet server / computer to login from an IP address and on failure the next computer in the botnet try this. That means that every attempt comes from a different IP address. For this so-called brute force attack to curb I have botnetblocker plugin installed.

    The problem is that the plug-in closes off the sites the whole time and only the white-list ip-range can login. That makes it impossible to make a visitor-login or anything else that requires a login or registration on demand.

    Is there a solution for this except open up the site for the brute-force attacks? De ip-range from the botnet is from all over the world. Asia / France / Russia and so on..

    Best regards..

    drDibbes

Viewing 3 replies - 1 through 3 (of 3 total)
  • Moderator James Huff

    (@macmanx)

    Yeah, that doesn’t sound like a good plugin for this, I’m not a fan of the “scorched earth” security measures myself. ??

    First, add this to your .htaccess file:

    <IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{REQUEST_URI} .(wp-comments-post|wp-login)\.php*
RewriteCond %{HTTP_REFERER} !.*(example.com|jetpack.wordpress.com).* [OR]
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule (.*) https://%{REMOTE_ADDR}/$ [R=301,L]
</ifModule>

    Replace “example.com” with your domain, and if you aren’t using Jetpack Comments, remove “|jetpack.wordpress.com”.

    This will prevent bots from directly attacking wp-login.php and wp-comments-post.php, they will need to go through the forms to login or leave comments.

    After that, install a plugin like https://www.ads-software.com/plugins/bruteprotect/ to catch anything else that makes it through.

    Thread Starter drDibbes

    (@drdibbes)

    Thank you MacManX for your response. I still have a question about it.

    I noticed that every computer in the botnet tries only one or two times and then switches to another IP if he is rejected.

    Now, in my configuration at the moment, all IP’s are rejected after two attempts in one minute except for the white list.

    With the tool you suggested only the failed user-ip is blocked so the next in the botnet can try again. So the process of the brute force attack is not disturbed because the next in line is not blocked.

    Or do I mis something?

    Moderator James Huff

    (@macmanx)

    BruteProtect uses a cloud-based blacklist constructed by analyzing botnet attacks on all BruteProtect users. In other words, chances are that the attacking IPs are already in their blacklist, and if not, they’ll identify and block the pattern. ??

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Botnet attacks and login on demand visitors’ is closed to new replies.