Wordpress brute force attacks.

K

Karandras

[H]ard|Gawd
Joined
Feb 16, 2001
Messages
1,873
Hey,
Anyone else here being attacked lots via word press? We have about 150 clients, 1/2 of which use word press and the server is being attacked all the time from IPs all over the world. I've implemented fail2ban but that's just a bandaid and I've noticed the attacks are getting worse. Usually they just attack with one IP for a bit then stop for a while but on the weekend we got hit with a different IP every min for 2 hours. None the same. So while fail2ban worked each time they still got in 600 attempts (set to ban for 10 min after 5 attempts).

What can I implement in my apache settings to umbrella the wordpress sites on the server (current and future clients)? I don't really want to go through 75 sites and add in http auth files, that's time consuming.

What are you doing to combat the wordpress attacks?
 
Karandras69 said:
Hey,
Anyone else here being attacked lots via word press? We have about 150 clients, 1/2 of which use word press and the server is being attacked all the time from IPs all over the world. I've implemented fail2ban but that's just a bandaid and I've noticed the attacks are getting worse. Usually they just attack with one IP for a bit then stop for a while but on the weekend we got hit with a different IP every min for 2 hours. None the same. So while fail2ban worked each time they still got in 600 attempts (set to ban for 10 min after 5 attempts).

What can I implement in my apache settings to umbrella the wordpress sites on the server (current and future clients)? I don't really want to go through 75 sites and add in http auth files, that's time consuming.

What are you doing to combat the wordpress attacks?
Click to expand...

http://blog.thelonepole.com/2013/04/combining-limit-login-attempts-and-fail2ban/
 
Has been happening for years. Limiting logins and or changing the admin login url are two good tactics.
 
Grentz said:
Has been happening for years. Limiting logins and or changing the admin login url are two good tactics.
Click to expand...

Hi,
Those ideas are good however it doesn't stop the attack from happening. Each attack can cause a load on the server. At one point our server with a normal load of 0.8 was a 24 cause of multiple word press attacks. Unless the actual login folder is passworded or moved then the load on the server can still happen. The hacker will never get in cause the uid is changed but the attack still managed to get to the server.

Can an IDS or IPS firewall detect/block these attacks before getting to the server?
 
Karandras69 said:
Hi,
Those ideas are good however it doesn't stop the attack from happening. Each attack can cause a load on the server. At one point our server with a normal load of 0.8 was a 24 cause of multiple word press attacks. Unless the actual login folder is passworded or moved then the load on the server can still happen. The hacker will never get in cause the uid is changed but the attack still managed to get to the server.

Can an IDS or IPS firewall detect/block these attacks before getting to the server?
Click to expand...

Ah. I'm not sure about the answer to your question but as far as mitigating the increased server load caused by the brute force goes, the only things I can really think of would be to either use cloudflare's ddos prevention service or throw an htpasswd on the login screen.
 
You must log in or register to reply here.
Back
Top