Hello, For past 36 hours my site has been under attack for the username admin. I have changed login page, extended the lockout till 5 hours and made a block whenever anyone tries to login with admin username. For the first 12 hours, there were less than 5 bans in which IP was not recorded as the site was only banning ip for 15 mins and it gave user 5 chances. I saw it and didn't get serious but just tightened the security and i got over 40 attacks from different IPs. Each Ip is banned immediately after trying to login with the username but still... Its really like spamming on me. The site was getting attack continuously 10 times like 11 hours ago and the attacks got slowed for 1 hour one attack. is there a possible way to block this. I don't mind of the hacker hacking into the 'Admin' username account but getting noticed to this attack is hard. The ips are from different countries and some have sites hosted on it which seems fake and some are adult sites. Here is a IP List, 195.154.178.51 217.147.85.95 182.160.155.72 193.255.83.100 109.228.18.144 185.28.22.76 72.229.33.46 95.110.145.224 182.160.155.72 37.139.19.122 199.201.88.64 125.212.220.77 95.110.145.224 195.154.178.51 217.160.235.116 141.101.105.219 185.28.22.76 217.147.85.95 207.58.135.162 216.70.90.99 74.208.111.148 92.60.123.168 198.89.122.74 166.78.169.147 213.229.121.124 129.121.182.100 162.42.239.248 93.189.94.143 195.154.117.65 23.253.90.79 37.187.37.199 133.242.22.177 209.148.90.10 82.165.143.210 216.70.107.236 ALL IPS ARE LINKED TO www.ip-adress.com JUST INCASE IF YOU WANT TO CHECK. I am using Wordpress with IThemes Security.
This is why so many word press sites get hacked. Not changing the default admin username. They will give up eventually
In my case admin username doesn't exists but i just created a account with subscriber permission. Anyone trying to login as admin with the right password will be locked out as well, including myself. My super admin user and pass are both randomly generated characters and it will take a person years to find both combination right through brute-force attacks My problem here is how to ban this ips from getting into the site. they use up my bandwidths And I posted the ips out as people who can sumbit it to big blacklist sites can sumbit them too 125.212.220.77 One more IP when i was busy posting
https://wordpress.org/plugins/ip-address-blocker/ that may help a bit but you should keep in mind these types of things are automated. I am getting 50 a day from folks trying to break into my VPS. The odd thing is out of 1000's they have yet to even guess a user name so its a complete waste of their time. I have also been using this for wordpress with 100% success https://wordpress.org/support/plugin/theme-my-login hope that helps, Nigel
Heh, its really not hard to lock down wordpress but it seems easier when done out of necessity. Folks don't take action until stuff has been hacked. Nigel
Yup most of them. I had my security weak before this, because I was sure that no one can find combination of both username and password for atleast some years I will try the plugins
We can find that WordPress is mostly used on internet but there is also major possibility that it will get hacked soon. Its compulsory for everybody to keep WordPress updated and this will help them to get protected from attacks. The passwords should be strong enough with combination of several characters and special symbols.
There are several WordPress admin brute-force bots going around. If you are the only person who logins into the admin, block wp-login.php to all but your IP address in htaccess. Replace xxx.xxx.xxx with your IP. ErrorDocument 403 "403" <Files ~ "^wp-login.php"> Order allow,deny Deny from all Allow from xxx.xxx.xxx Satisfy All </Files> Code (markup): If there are reasons you cannot do that -- don't have a dedicated IP, for example -- change the WP admin login URL (search for "rename WordPress login" in WP plugins) and then block access to wp-login.php. Some of these bots will continue to hit the site for hours on end despite the block, so the ErrorDocument 403 "403" line reduces the resources consumed by the attack to a negligible amount.
Mine is dynamic IP. My biggest drawback in every kind of site i own Thats ok, increased lock out period for ips up to 1440 mins and the ips listed above are blocked forever. less than 2 attacks a day now.
These WP and joomla brute force attempts have got crazy lately. Ive seen them on many servers. One thing that does work is using some mod security rules, there are a few different ones out there to use, and then setup CSF to ban on mod sec alerts, That will eventually get it cleared up. Amazing how even in this age, just a few ips can kill a server with php executions. You really gotta prepare for it or you will have outages
We recommend you disable all security plugins (they read and write to the database heavily) and do the following: 1. Install "Limit Login Attempts" and set it to a low number (2-5 tries before lock out per IP). 2. Temporarily lock out all IP's except yours for wp-login.php 2A. Create a .htaccess file in /wp-admin/ and insert the following. # Block access to wp-admin. order deny,allow allow from x.x.x.x (your IP address here) deny from all 2. If it's a VPS file a ticket at TransNOC.com/open and we'll help you setup Fail2Ban and/or CSF on your server. 2. Deny requests from those with no valid referrers in htaccess: # Stop spam attack logins and comments <IfModule mod_rewrite.c> RewriteEngine On RewriteCond %{REQUEST_METHOD} POST RewriteCond %{REQUEST_URI} .(wp-comments-post|wp-login)\.php* RewriteCond %{HTTP_REFERER} !.*example.com.* [OR] RewriteCond %{HTTP_USER_AGENT} ^$ RewriteRule (.*) httpX://%{REMOTE_ADDR}/$ [R=301,L] </ifModule> Change example.com to your domain, and remove X from http.
The mod security rules for the wp brute work well. We had a huge problem with this until I set it up. You do a good base ruleset like the comodo waf and then you use csf and make sure you have it to block on like 10 modsec failures Here is the single rule for the wp brute, put it in a config file and include from httpd.conf The modsec rules for joomla brute force are in the comodo waf by default. <IfModule mod_security2.c> # This has to be global, cannot exist within a directory or location clause . . . SecAction phase:1,nolog,pass,initcol:ip=%{REMOTE_ADDR},initcol:user=%{REMOTE_ADDR},id:10011 <Location /wp-login.php> # Setup brute force detection. # React if block flag has been set. SecRule user:bf_block "@gt 0" "deny,status:401,log,msg:'ip address blocked for 5 minutes, more than 15 login attempts in 3 minutes.',id:10011" # Setup Tracking. On a successful login, a 302 redirect is performed, a 200 indicates login failed. SecRule RESPONSE_STATUS "^302" "phase:5,t:none,nolog,pass,setvar:ip.bf_counter=0,id:10012" SecRule RESPONSE_STATUS "^200" "phase:5,chain,t:none,nolog,pass,setvar:ip.bf_counter=+1,deprecatevar:ip.bf_counter=1/180,id:10013" SecRule ip:bf_counter "@gt 15" "t:none,setvar:user.bf_block=1,expirevar:user.bf_block=300,setvar:ip.bf_counter=0" </location> </IfModule> Code (markup):
You must update your word press site regularly. This will help your website to protect from attacks. The password must contain special character so that anyone could not be crack easily.