Massive Hit from – over 50 IP Addresses

@nikwolf
@colleen

This article describes how how to resolve the issue of protecting your wp-admin when you have a dynamic IP address:

https://blog.sucuri.net/2012/06/how-to-lock-down-wordpress-admin-panel-with-a-dynamic-ip.html

@Barnez – I tried that method – created the subdomain at Afraid.com as instructed, but inserting it into the code didn’t work. Had to go back to using my IP address. Also, note that his code has one tiny error in it – there should be no space in Order Deny,_Allow – leaving a space after the comma gives an error when just accessing your home page.

I’ve written to the author and if I get it figured out, I’ll post more info here.

I’ve been dealing with this stuff for years now, huge attacks, some so bad they shut down my site due to exceeding server resources.

First step is to indeed get to know your .htaccess like a lover and if possible limit login to specific IPs. Beyond that, while security “experts” say it’s not that great, I’ve found “security through obscurity” will block most login attacks quite effectively. Attackers like to go after the low hanging fruit — make yourself hard to harvest and they’ll go elsewhere.

Simply change your login URL to something unique and the login attacks will just get an error message and won’t use up near as much of your bandwidth. And many of them will just go away.

The plugin I use for this is wSecure Authentication, https://www.ads-software.com/plugins/wsecure/

I wSecure Auth on latest WP version, with a lot of back end mods to my theme etc., and it still works.

I’m actually pretty surprised Wordfence doesn’t have this as a feature.

Another super effective technique is to ID countries you have no need of sharing your website with, and blocking them entirely. This can cut down an immense amount of attack traffic. This technique can be refined by using a country block plugin (perhaps WordFence?) that allows country blocking on the _back end_ separated from whom is blocked from the front. In other words, you block all countries but your own for the admin! My plugin solution for this is IQ Block Country, https://www.ads-software.com/plugins/iq-block-country/

These plugins could possibly conflict with WordFence, but if you guys are getting slammed, consider adjusting your plugin scheme and trying the above techniques.

Lastly, remember to use hardened passwords as well as never using “admin” as a user name. But you guys already know that (grin). If you use hardened passwords (random letters and numbers, more than 10 characters or so), the brute force login guessing game the hack attacks use will never be successful at guessing, though they’ll suck up your bandwidth till you stop them with above techniques.

MTN

Hi All,

A few comments. Please DO NOT follow the advice in that Sucuri blog entry. They’re telling you to add a hostname to your .htaccess file in the form of :

“Allow from example.com”

The reason you don’t want to do that is because anything that accesses your login URL will cause your web server to do a forward AND reverse DNS lookup which can take a very long time. This occupies an apache thread or child process completely until it’s complete. If you are experiencing a distributed attack where several IP’s are simultaneously hitting your login URL, it will make your site unavailable as each apache child/process is doing a forward and reverse lookup.

From the apache documentation:

“This configuration will cause Apache httpd to perform a double DNS lookup on the client IP address, regardless of the setting of the HostnameLookups directive. It will do a reverse DNS lookup on the IP address to find the associated hostname, and then do a forward lookup on the hostname to assure that it matches the original IP address. Only if the forward and reverse DNS are consistent and the hostname matches will access be allowed.”

https://httpd.apache.org/docs/current/mod/mod_access_compat.html#allow

I also don’t recommend allowing from a specific IP address because your IP will inevitably change and you’ll be locked out. However, as another poster confirmed, if you don’t mind FTP’ing into your site and changing that IP address to your new IP address (and you know how to do this) then this method will work OK.

If you’re under a severe brute force attack my best advice is the following:

Enable Falcon Engine which will speed up your website and cause Wordfence to block IP’s in your .htaccess file. This is very fast and causes any attacker to consume very little resources.

Next, set your login limits to lock out anyone after 5 failures and to count failures over 1 hour. This will very effectively keep brute force attackers out of your site.

Also make sure you have the Wordfence security network enabled. This will instantly lock out IP’s participating in a distributed brute force attack.

Regards,

Mark.

@mark

Many thanks for highlighting the risks of the Sucuri approach to locking down a dynamic IP address I posted above.

I’m not sure how the guys at my managed server did it, but they set it up so only whitelisted IP numbers can access the admin side. That was our first step at true security (other than the basics such as correct passwords and user names). I then implemented the login URL obfuscation described above both for additional security but also to “disappear” the wp-login URL. I’m not an expert like Mark, but due to defects in WordPress and our low budget I’m forced to do my best. Perhaps I’m doing stuff that’s redundant, or perhaps it takes more server resources than it should, but it seems to be working to some degree.

Problem now is that there are just so many attacks that no matter what you do it’s going to take some server resources, sometimes a lot. And you thought blogging was just writing? Get ready to spend more time trying to be an IT expert.

One has to wonder, when will it all reach critical mass? What’s going to happen to the web when a giant surge of WordPress attacks come from China, Russia, Ukraine, etc. And essentially DDOS shutdown hundreds of thousands of WordPress sites? Yeah, this has happened a bit already, but I see it just getting worse and worse until an armageddon of sorts. Perhaps that’s when we’ll see an entirely new version of WordPress that’s created from the ground up for security? Or perhaps a new version of the internet?

It’s all kind of a joke when you think about it. The amount of time we all spend on this stuff as individuals must be enormous. Probably enough energy to run a small country. If the WordPress developers just put 10% more time and energy into security hardening instead of fooling around with how the admin screen looks, just think how much easier our lives would be, and how much more productive work we’d all get done.

Indeed, one has to wonder if the open source model is really that great. Perhaps if WordPress was a for profit endeavor or at least cost money (like the full ver of Wordfence), and cost a few hundred bucks, would they have more ability and incentive to build better software? Likewise, if OpenSSL was for-profit would we have had Heartbleed? I have to say, at this point I’d gladly fork up $500 or more a year for something that didn’t take so much time to keep running and secure. It’s simply gotten ridiculous. If I billed my time out at $30/hour, I’m easily using $14,000 every year in opportunity costs staying on top of the WordPress back end, mostly due to security issues.

Perhaps I’m dumb and not doing it right, but I’m doing the best I can and just don’t have the cash to actually go out and hire an IT guy, other than paying the guys at my managed server.