WordPress site under attack

@andrew – All I did was provide the URL to my site, I did not (and will not) allow anyone to login to the admin section of my website.

But I really appreciate and thank you for caring about this subject – other users may not be aware of the dangers of providing admin access.

Thanks,
Scott

WP Community, @andrew, and @scott,

Please allow me to take a moment to apologize if any offense was taken or if any rules have been broken. I assure you that only the best intentions were in place.

No access was requested, nor provided. In addition no requests for services above and beyond what is provided here on the forum was suggested.

Not everyone wishes for their information to be shared publicly, simply trying to respect that. Especially considering, it’s well known that bots scrape forums like these for potential targets.

Again, apologies for any issues.

Side note and completely off topic:

Hi @davler-labs and welcome to the WordPress support forums. ??

First off, thanks for helping out Scott. These are support forums and you were providing free support on your own time.

Not everyone wishes for their information to be shared publicly, simply trying to respect that. Especially considering, it’s well known that bots scrape forums like these for potential targets.

Yeah. No.

*Drinks coffee, says coffee is good*

Here’s why the reaction was that way: there have been people who have used and continue to use these forums for harvesting work for cleaning up compromised sites.

Please be aware, I am not doubting your good intentions! Honest.

These forums aren’t for picking up work, they’re for free volunteer support. It’s really discouraged when someone seeks contact outside of the forums because it has led to abuse in the past. At least two companies have earned lifetime bans for chasing users home and pestering them with paid support solicitations.

I repeat: I’m not doubting you and your intentions! But I just want to help you understand why moderators are cautious.

If someone needs help in these forums then they should be prepared to share non-sensitive data here. No one else should log in, take a look, etc. outside of these forums for someone else. That’s just not safe and as you’ve indicated there’s a lot of bad people out there.

If a person with a problem like that needs a greater level of support then they need to look elsewhere. That’s why you’ll see https://jobs.wordpress.net/ referenced a lot.

If they’re willing and able to then there is often a lot of good support here. Users have been able to get themselves out of a jam with that good advice.

Now back to the regularly scheduled topic: Scott I’m glad it looks like this is working out for you. ??

Update:

Changing wp-login.php to 600 permissions did not solve the problem. Since yesterday evening when I did that I have had about 40-50 login attempts (each still from a different IP)

Any idea what is going on or how to fix it?

Thanks,
Scott

Any idea what is going on….

One or more people decided they don’t like you and have decided to hit your site with from random IPS with scripts to try and break in.

…or how to fix it?

There’s really nothing you can do besides what you’ve done.

Since yesterday evening when I did that I have had about 40-50 login attempts…

That’s actually a low number of attempts in comparison to some site logs I’ve seen. if you look at your raw 404 logs, you’ll be surprised at the amount of garbage/bot/hacker traffic to your site. That’s life on the Internet.

There are still a few options, unfortunately with brute-force attacks even once the targeted content is disabled or moved the requests are still being processed (just with errors this time around). It’s a big pain as you know since it begins to hog up bandwidth and resources.

Once you have exhausted the options typically used to mitigate/slow down these attacks such as disabling content, password protecting, limiting access to login by ip, deny by no referrer, modsec, fail2ban, proxying, and big powerful blocklists there are a few more options to use outside of blackhole routing (I’m sure you don’t want to do that).

Have you tried nginx’s limit req module? If not I’ll see about typing something up for you as our previous linking was frowned upon.

There is also a method that is likely also frowned upon here which I will not post to prevent further negative attention. But to give you an idea… the attacks lifespan is dependent on the size of a wordlist used or brute-force style chosen. Outside of waiting the attack out there are ways of thwarting the attack buy using a weakness in the bot’s willingness to accept certain responses to your advantage.

I’d suggest the limit req module approach however, so if you haven’t tried it then give it a quick google. you may very well be able to address this in a few minutes if the other options I posted a few paragraphs ago have been attempted unsuccessfully.

Obscurity does not help and there is really little to be gained by baiting ‘bots. NinjaFirewall can stop some requests before they ever even reach WordPress, and I only ever see maybe a half-dozen bogus login attempts per week.

@songdogtech Thanks. It would seems to, its a pretty popular website, so eventually someone is not going to like you.

@leejosepho Ill definitely check out NinjaFirewall, thanks!

I am a programmer and am curious about the technical details of how a bot/script/person can attempt to post data to a PHP form (in this case wp-login.php) if the page is set to 600, so that Nginx returns a 403 Forbidden. Like, how is that even possible technically?

Yes, it might only be a few hundreds attempts per week but when you stretch that over years we are talking about hundreds or thousands of login attempts. Even with a good password, its a little unsettling.

Thanks,
Scott

@leejosepho

Where did I suggest obscurity? I surely hope you are not confusing disabling of content or tightening up perms as obscurity. While security through obscurity is very well known to be an effort that shouldn’t be of primary focus, to say it does not help at all is rather shortsighted.

There is an entire industry focused around baiting attackers and their methods. Understanding that the majority of these automated attacks use extremely light wordlists is key. Often focus is shifted and combined with placeholders of mixalpha-numeric charsets that are generally minimal in length. Even when this is not the case, the limited dictionary attacks are easily fooled which send the bots on their way.

While you only see a half-dozen and Scott reported a recent 40-50, it’s not (imho) so easily tossed aside. The use of a WAF is an extremely good call as well and given the attack vector, NinjaFirewall fits perfectly. I am not quite sure why your last posts have been negatively aimed at our responses but I do sincerely hope you begin having a better day. I couldn’t really figure out any other real reason as to why you would be so bitter towards us outside of a simple mistake that many have made (and many will continue to make).

@Davler Labs: No bitterness here and I do not recall the last time I had a bad day! I sensed from the beginning if this thread exactly what I had said:

Bolting a door closed [or hiding it or even removing it altogether or setting up a false one] does not stop people from knocking, so I would guess you are getting knock reports.

Progress has been made since that time, and everyone here has in one way or another contributed to the overall experience.