wp-admin based DDOS

Hi,

It’s not uncommon for people to try and brute force your site, which is the case here. Have a look at https://codex.www.ads-software.com/Brute_Force_Attacks which explains a little bit about what it’s all about.

Ideally your host will have implemented features to block such attacks, if you are hosting it your self then consider looking at the options such as fail2ban on that site as it’s incredibly efficient.

If you do go the custom route, I’ve got some handy rules that I shared over at https://www.clorith.net/blog/fun-fail2ban-wordpress/ for blocking bruteforces on WordPress sites (they are a bit more open than I’d like but they take into account human error etc, if it’s just your self logging in you could easily adjust the rules there)

Marius, the point is that they are NOT trying to brute force the site, they are making no actual attempt to log in, they are not POSTing anything, they are not even hitting wp-login.php – they are particularly using GET on /wp-admin/ and that’s it. They don’t follow the 302 redirect for not being logged in, even though it is generated (the response in apache log is a 302).

If it was a brute force attempt, they would be trying to log in. They are not. That leaves only DDoS as the goal, because nothing else makes sense.

As for Fail2Ban and others, they are not compatible with caching services (I use cloudflare). They would ban the cloudflare addresses and deny normal users the chance to access the site, which would be self-defeating.

Instead I have custom code in both /wp-admin/index.php and wp-login.php which gathers the origin IP (using the cloudflare conversion utility) and uses that to generate a log of failures. The more significant ones I ban with cloudflare. The rest get redirected to sites away from my server, so if they do in fact follow the 302, they don’t get anything indicating wordpress. The code is presented BEFORE any wordpress processing, so that I minimize server load as a result of these “visits”.

I see, well constant traffic against wp-admin certainly isn’t uncommon (could even be something like web scrapers checking for versions numbers etc).

But cloudFlare would detect it if it was a DDoS, they’re quite good like that so I wouldn’t worry -too- much about it ??

Cloudflare does not detect it at all, they seem to be focused only on wp-login.php and xmlrpc style things. This is a pure DDoS attack nothing more and nothing less. I log:

ip / cloudflare ip url requested

to a text file, and logged 120MEG of entries in 8 hours – all trying wp-admin and nothing else.

They hit wp-admin, never follow the 302, never actually ask for wp-login.

My guess is that on a weaker server, this sort of thing would be an effective DDoS, on a site with unmodified wp-admin, they would be creating an insanely high load on the system, as each call to that page fires up database connections and checks to see if the user is logged in and such. it’s not heavy duty, but I am pretty sure it would be enough to TANGO DOWN a virtual. it’s also pretty clear (considering they move from one service to another as soon as I block one) that they have a lot of resources to play with. I think if they really tried, they could even take a much larger server down (if it wasn’t protected).

Oh and Marius, a web scraper doesn’t check version 5000 times an hour… ??