Brute force attacks

Actually reading all my logs I have hundred of connections per second.

Hey,

I’ve been getting hacked by some guy as well for the past few weeks. It’s been exhausting, to be honest.

Earlier the file system got hacked and they were utilizing a ton of bandwidth. Upon deletion of those directories, the “bots” kept pinging the non-existing files, causing a bunch of 404s.
I fixed this by adding a redirect to all of the highly affected directories/files. The redirect was to 127.0.0.1 — so instead of having 40,000+ instances of 404’s it just redirects.

I also have had the issue of the xmlrpc.php getting pinged, NON-Stop. I disallowed access to this file which caused a 403, which in turn, I know that other wordpress websites wont be able to send pings/tracks back to mine.

I’m still trying to figure out how the hacker is getting into my wordpress site. I’ve got BulletProof, Sucuri, Wordfence, all working together to minimize the risk and track logins.

In your case, I would install Wordfence, and under settings tell it to immediately ban IP when trying to login with a non-existing username. Also, tell it to block ip if they try more than 3 times etc. Make sure to delete the “admin” user account and add the “admin” user account as another way for them to get banned.

Hope any of this helps. I’m still struggling myself.

The reason I did the redirect instead of the 404 is because the 404 is utilizing more bandwidth as it pings the database upon each attempt. So instead of using 700mb of bandwidth it’s down to under 10mb ??

After you ban the ips, do you go to the banned ip (I think that’s what it’s called) and permanently ban them? You can also ban networks. Here’s a post from the Wordfence site:

https://www.wordfence.com/blog/2013/08/got-a-persistent-scraper-heres-how-to-deal-with-them-permanently/

I hope this helps.

Here is what mine looks like
WordFence Settings – Block Login

Thanks… I never use an admin account.
Also I disable the archive for authors.
and all my user accounts are e-mails.

Use e-mail prevents showing the real admin account name in archives, blog authors, etc.

Ex. [email protected] will result on mepepe.com
and for all my passwords I use something very simple.
Ex.
https://www.this-is-my-super-site.com
so password would be: +H1$1$m1svp3r$1t3

Well, tomorrow I will test this :
add_filter( 'xmlrpc_enabled', '__return_false' );

I feel that server will be down this night :'(

Also tomorrow I will try to figure out if fail2ban can handle this.

Well…xmlrpc has been disabled with
add_filter( 'xmlrpc_enabled', '__return_false' );

but now let’s see if there is a filter or action to prevent the recovery password and logging attempts using wp-login.php

maybe the straight forward solution would be in the .htaccess

Keep me updated, I’d love to know if you get any resolution.

I checked my logs and my xmlrpc.php is no longer being attacked, after an entire days worth of 403 denied requests.

As far as my hacked site goes, I’m going to look through infected plugins and hopefully find the issue.

In fail2ban I implemented the next feature :
https://wiki.linuxservertech.com/index.php?action=artikel&cat=26&id=201&artlang=en
This is a nice option because on the same server I have several sites and with this I can be sure that this kind of attacks will be blocked (this will work only if they try 2 times… and yesterday was not the case, it was a different IP each time).

And maybe I will set this approach too, but it means that I will need to send an email to each client and I will take the risk that something crashes:
https://www.frameloss.org/2013/04/26/even-easier-brute-force-login-protection-for-wordpress/

There are some points that bother me with the wp-login.php file…

case 'lostpassword' :
case 'retrievepassword' :

Why we cant trigger an action ?

Also since a few projects I always change the file structure :

wp-config.php

$protocol = (!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off' || $_SERVER['SERVER_PORT'] == 443)? "https://" : "https://";
$server_name = $_SERVER['SERVER_NAME'];
$doc_root =  $_SERVER['DOCUMENT_ROOT'] ;

define('WP_SITEURL', $protocol . $_SERVER['SERVER_NAME']);

define('WP_CONTENT_DIR', $doc_root . '/content' );
define('WP_CONTENT_URL', $protocol . $server_name . '/content');

 define('WP_PLUGIN_DIR', $doc_root . '/plugins' );
 define('WP_PLUGIN_URL', $protocol. $server_name .'/plugins');

Now I need to figure out how can we prevent the attempts from login on sites where xmlrcp is enabled.

Also prevent all the “Lost Password” attempts.

:'( too much work

Once again, in the last days, I was forced to disable xmlrpc on 3 different sites.
Wordfence detected and locked all the incoming IPs after 2 login failures.
Wordfence was locking almost 10 IPs per second (and my email account was getting full due the wordfence alerts).