WordPress wp-login.php Brute Force Attack
Over the last couple days a huge threat and nuisance has evolved that is effecting nearly all web hosting providers. This brute force attack is being conducted by a large botnet consisting of thousands of unique IP addresses across the world. The attacker is brute force attacking the WordPress administrative portals, using the username “admin” and trying thousands of passwords.
One of the concerns of an attack like this is that the attacker is using a relatively weak botnet of home PCs in order to build a much larger botnet of beefy servers in preparation for a future attack. These larger machines can cause much more damage in DDoS attacks because the servers have large network connections and are capable of generating significant amounts of traffic. This is a similar tactic that was used to build the so-called itsoknoproblembro/Brobot botnet which, in the Fall of 2012, was behind the large attacks on US financial institutions.
Here are a few of the things you can do to help protect your site from this attack
- Most Important – Make sure you are running the latest version of WordPress and that all plugins and themes are up to date.
- Remove any outdated or unused themes or plugins. If you are not using the themes of plugins, they are just taking up space and wasting resources.
- Use a secure password. This is vital to avoid your website being brute forced. A strong password will consist of:
Minimum password recommendations:
– At least 8 characters total
– Mixture of upper and lower-case letters
– Numbers and special characters, such as punctuation or other non-alphanumeric charactersExample weak password:
password123Improved strong password:
- Install the WordPress plugin “Limit Login Attempts“. This will limit the login attempts to a set number. Once this limit is reached, then ip will be blocked for a defined amount of time.
- Enable CloudFlare within your cpanel. CloudFlare announced yesterday that they have added rules within their system to prevent this attack. CloudFlare can be enabled in any customers cpanel account with just a few clicks.
What we are doing on our end to block these attempts
To be honest we have not had to do much. We have actually been unaffected up to this point, unlike many hosting companies that are being crippled by this attack. We believe this is directly related to the Anti-DDos feature within LiteSpeed Web Server on our LiteSpeed Powered Web Hosting. We have checked the logs over the last couple days and can see that the Anti-DDos system has been been blocking ips on a regular basis. The Anti-DDos feature has always been great for blocking low level DDos attacks, but now we can see there are many other benefits of this feature.
While the Anti-DDos feature has worked great and left us unaffected, we have still taken further measures within each server to further protect our customers from this attack. We won’t go into details about the steps we have taken, as to not allow these attackers gain any further knowledge on what is being done to protect against these attacks and figure out a way to work around them. Our customers should just know that we have taken several steps and they have proven to combat against this attack.
While we feel confident that we have successfully blocked this attack for the time being, we are keeping an eye on the situation very closely. Attacks like this can quickly change their approach and we may need to adjust to keep the attack at bay. If we see any drastic changes or notice any incoming effects from this attack, we will inform customers immediately with more information and what steps are required from them or what we are doing to adjust to the attack.