What's The Best Way To Deal With Blunt Force Attacks On Login Screen

Forum Moderators: rogerd & travelin cat

Message Too Old, No Replies

What's The Best Way To Deal With Blunt Force Attacks On Login Screen

Planet13

6:52 pm on Aug 20, 2014 (gmt 0)

Hi all:

The wordpress login page is - according to my log stats - the most popular page on my site. I am pretty sure that it is blunt force attacks trying to hack my site.

While I am not too worried about them actually hacking my site, since I have a strong password, I am concerned that I KEEP GOING OVER MY BANDWIDTH LIMIT set by my host.

Do you have recommendations on how to deal with this?

Again, my MAIN concern is my bandwidth usage first, then actual security second.

Also, it appears that the wordpress comments page is being attacked as well, so I would like to deter those attacks, too. I don't get many spam comments because of the captcha plugin I use, but again, I don't want all my bandwidth used up by these attacks.

BTW: I just installed the wordfence plugin yesterday. Haven't really had a chance to see if the failed login attempts lockout feature will be affective or not. There doesn't seem to be any sort of lock out for comments, though.

bhartzer

4:50 pm on Aug 27, 2014 (gmt 0)

On my WordPress sites, I've done a few things:

First, I moved the site to https from http

Then, I went ahead and installed the Wordfence plugin, which helped automatically block a lot of login attempts.

Then, what really made the difference for me was adding Cloudflare, which blocks a lot of bad traffic before it even hits my server.

For me, it's the combination of https, WordFence, and Cloudflare that has literally stopped just about all of the login attempts--and it was constant.

brotherhood of LAN

5:03 pm on Aug 27, 2014 (gmt 0)

I have a multi-site wordpress installation on a dedicated server, though the public viewable wordpress sites are shown via shared hosts and fetch the content from from the dedi.

There's some caching rules on the shared hosts and requests to /wp-admin/ lead to nothing. Calls to the dedi server require a cookie that decides whether to show the content or not. The content is stored in compressed format on the shared host and decompressed for clients who lacked an Accept-Encoding client header.

If I were to have the admin on the shared hosts, whitelisting IP would definitely be the way to go... but Cloudflare and the like are good if you hate cluttered logs or think the requests are taking up too much resources.

wheel

9:11 pm on Aug 27, 2014 (gmt 0)

1997 called. They want their bandwidth caps back.

Seriously - hosting companies still have bandwidth limits?

Get a new hosting company that doesn't have stone age policies.

If the hacks are actually using so much bandwidth that it's a real issue - like 10's of gigs or more, then your hosting company should be blocking these requests before they even hit your site - basically as a DOS attack.

You could do two other 'easy' fixes. One, put an .htaccess file in the /wp-admin so that there's a preliminary password challenge before it even gets to the page. Secondly, you could deny the wp admin panel by IP, open it only to your IP address (or the IP range of your personal ISP). That'd deny all requests to the page before they get served.

But still, bandwidth cap? It's like the sony walkman of the hosting industry.

jk3210

12:18 am on Aug 28, 2014 (gmt 0)

<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteCond %{REMOTE_ADDR} !^xxx\.xxx\.xxx\.xxx$
RewriteRule ^(.*)$ - [R=403,L]
</IfModule>

I installed this code on 20+ sites a year ago and it stopped the attacks cold, but just 12 hours ago the attacks some how started getting passed it and are now being caught and locked-out by the Limit Login Attempts plugin. I have no idea how they are getting passed the htaccess code.

Also, in addition to "admin" they are attempting to use various post's author name as a possible username login.

graeme_p

5:06 am on Aug 28, 2014 (gmt 0)

@lorax. what I have in mind is not deleting or renaming files, but blocking the files using .htaccess - just returning 404 for anything that matches blocked files or directories. Does that broaden the list of what I can usefully and safely block beyond xmlrpc?

travelin cat

12:52 pm on Aug 28, 2014 (gmt 0)

We use the iThemes security plugin. It not only locks out either hosts by ip or users after a predetermined amount of failed login attempts, it also logs the ip addresses which you can have permanently banned via htaccess. You can also use the plugin to change the address of the login page and you can control xml-rpc functions.

Without sounding like a spokesmen for the plugin, it also does:
Whitelist/Blacklist of IP's
Lockouts of users hitting your website for vulnerabilities by logging 404's and banning excessive ones
An away mode that completely disables the login page at predetermined intervals, so if you are not touching the site at night, you can prevent anyone from accessing the login page.
File change notification
Scanning for Malware
Creating scheduled backups
Changing your database prefix
Create logs of all attacks and actions

...and much more.

stormy

10:55 am on Aug 29, 2014 (gmt 0)

Seriously - hosting companies still have bandwidth limits?

Only reputable ones. Every server on every datacenter has got a bandwidth limit. Some hosting companes decide to disguise this under a false "unlimited" name, so you don't even know the amount of bandwidth that you are paying for.

I'll go with a hosting company with clear limits and policies anyday.

A good hosting company can also use some custom mod_security rules to protect wp-login.php. Ask them.

graeme_p

11:05 am on Aug 29, 2014 (gmt 0)

@stormy, agreed. There is always a bandwidth cap or charge somewhere. The host I use for PHP and static sites is pay as you go, so I pay for all my bandwidth use (against prepaid credit). It works out cheap (as I only have small sites there) and I know exactly where I am.

dingloo

11:52 am on Aug 29, 2014 (gmt 0)

I used to be tortured by this earlier. I use the following code on the .htaccess on my wp-admin folder and it works like a charm. I can add any number of IPs or CIDRs and dont have to worry about dynamic IPs as I can keep adding any number when I want.

Hope this helps.

Regards,
Dingloo

#Block access to wp-admin except for the listed IP addresses.
order deny,allow

#Host Server - Required for Cron Jobs
allow from xxx.xx.xx.xxx

#Work Server
allow from xx.xxx.xx.xx


#Home dynamic IP
allow from xxx.xxx.xxx.xxx

#Denying requests from all other IPs
deny from all

Planet13

6:50 pm on Aug 29, 2014 (gmt 0)

"#Host Server - Required for Cron Jobs
allow from xxx.xx.xx.xxx"

I don't know if this matters or not, but since I am on a shared host, I think my site doesn't have a static ip address. I kind of think that was extra (like twice the cost of hosting WITHOUT a static IP address).

Will I still be able to use your code if my IP address is not static?

stormy

8:20 pm on Aug 29, 2014 (gmt 0)

@Planet13 you are definitely on a static IP address. The extra you mention would likely be a dedicated IP address, instead of a shared one.

smallcompany

9:14 pm on Aug 29, 2014 (gmt 0)

Renaming login URL plus limiting login attempts via plugins that are maintained regularly should be sufficient. Plugins I use(d):

Wordfence
iThemes Security (formerly Better WP Security)
BulletProof Security
All In One WP Security & Firewall
...

Check and pick the one you like the most.

... and, for sure, "kill" the admin user name.

Planet13

11:11 pm on Aug 29, 2014 (gmt 0)

@ stormy:

"The extra you mention would likely be a dedicated IP address, instead of a shared one. "

Thanks for the explanation.

Planet13

3:33 pm on Sep 3, 2014 (gmt 0)

"1997 called. They want their bandwidth caps back. Seriously - hosting companies still have bandwidth limits?"

It gets worse, my friend...

Actually, this is for an ecommerce site and the ecommerce shopping cart is licenesed... so I HAVE to use their servers, basically.

So not only is there a 10Gig bandwidth limit, but there is also a 500meg disk space limit.

I could live with the 500 MB disk space limit... except that there software has a bug that they have acknowledged that keeps writing huge amounts of data to the mysql database. I kept trying to reduce the size of my product photos until I found out that the real culprit was all this nonsense that had to be deleted from the DB.

Oh, and forgot to mention; the shopping cart ISN'T responsive. So 35% of my visitors have a site that looks like crap.

But unless / until I am ready to try out a different shopping cart, I am stuck with this host for now.

travelin cat

4:05 pm on Sep 3, 2014 (gmt 0)

35% of my visitors have a site that looks like crap

That statement alone would be enough to move my site.

thecoalman

5:14 pm on Sep 3, 2014 (gmt 0)

Protect the directory with a .htaccess password.

lorax

7:55 pm on Sep 3, 2014 (gmt 0)

@graeme_p You can lock everyone but yourself out of wp-admin and then set your directories permissions to 755 and the rest of your files to 644

See: [codex.wordpress.org...]

644 means that files are readable and writeable by the owner of the file and readable by users in the group owner of that file and readable by everyone else.

755 is the same thing, it just has the execute bit set for everyone. The execute bit is needed to be able to change into the directory. This is why directories are commonly set to 755.

from: [forums.cpanel.net...]

tictoc

9:46 pm on Sep 3, 2014 (gmt 0)

Great thread. I have had this problem for so long!

graeme_p

2:04 pm on Sep 4, 2014 (gmt 0)

@lorax, I think that is how I have the permissions set. It is certainly what I usually do (except where the server runs as another user AND needs to write to file upload directories), although I have not checked that particular site for a while :)

What I am looking for paths that can be blocked: e.g. /xmlrpc.php, most paths ending in .php, etc.

This 49 message thread spans 2 pages: 49