WordPress Has Gone Away message in Error Log Files – BFD Attacks

I have found numerous complaints on the Web about error log files loaded up with messages starting with ” WordPress database error MySQL server has gone away for query …”.

While these are normal SQL messages that depict a runaway process, in my own log files these messages are most often associated with Brute Force Dictionary attacks that are trying to get into the WordPress admin accounts.

You can tell because they are piling up errors rapidly from unknown IP addresses (often the same IP address makes many attempts).

Have been using IP blocking to prevent unauthorized access to the admin accounts (server level, in forums, and in blogs).

Have also been renaming login pages so the bots cannot find them.

Not all my admin accounts are called “admin”; they’ll try a random list of possible user names, too. Hence, renaming “admin” user is pretty much a waste of time if you have published any content as that user.

Have also implemented a universal “DENY ALL” for wp-login.php (which no longer exists on my blogs) in .htaccess.

The bots won’t stop because you rename stuff. So I’m not sure what they’re doing to trigger these SQL errors. The referrer data they provide is faked.

Here is the first entry for one IP address in one of my logfiles:

[Tue Oct 08 05:02:51 2013] [error] [client 37.59.18.34] WordPress database error Lost connection to MySQL server during query for query SELECT autoload FROM wp_options WHERE option_name = ‘_transient_doing_cron’ made by require(‘wp-blog-header.php’), require_once(‘wp-load.php’), require_once(‘wp-config.php’), require_once(‘wp-settings.php’), do_action(‘init’), call_user_func_array, wp_cron, spawn_cron, get_transient, delete_option

It looks like the attack began about 1 minute before that particular entry but I cannot be sure.

Does anyone know which WordPress scripts would trigger this kind of error? I suspect it’s coming from one of these plugins, which are common to all the blogs being attacked:

AKISMET
LIMIT LOGIN ATTEMPTS
RENAME WP-LOGIN.PHP
STOP FORUM SPAMMERS

I am pretty sure it’s not “RENAME WP-LOGIN.PHP” as I only started using that plugin a little over a week ago and these attacks have been going on for months.

I don’t know enough about WordPress’ interactions with PHP and SQL to really understand what is going awry. But further on in the log file I do see that attempts to connect from LIMIT LOGIN ATTEMPTS are failing. Maybe this is all due to that one plugin being overwhelmed, but I can’t see what is going wrong. The error messages are associated with different SQL functions, not just attempts to add spammer IDs to the database.

The BFDs are not just targeting WordPress. They are also going after server-level admin access to Telnet, Dovecot (email), and FTP services. I disable these services when I don’t need them. And we have a VBulletin forum that is also blocking automated registrations. We also use a Linux firewall to block all access from malicious IPs (mostly in Asia and eastern Europe) so there are no logs for that activity once an IP address is added to the firewall.

Any suggestions on what the WordPress/SQL issue may be will be appreciated.