Davler Labs

@leejosepho

Where did I suggest obscurity? I surely hope you are not confusing disabling of content or tightening up perms as obscurity. While security through obscurity is very well known to be an effort that shouldn’t be of primary focus, to say it does not help at all is rather shortsighted.

There is an entire industry focused around baiting attackers and their methods. Understanding that the majority of these automated attacks use extremely light wordlists is key. Often focus is shifted and combined with placeholders of mixalpha-numeric charsets that are generally minimal in length. Even when this is not the case, the limited dictionary attacks are easily fooled which send the bots on their way.

While you only see a half-dozen and Scott reported a recent 40-50, it’s not (imho) so easily tossed aside. The use of a WAF is an extremely good call as well and given the attack vector, NinjaFirewall fits perfectly. I am not quite sure why your last posts have been negatively aimed at our responses but I do sincerely hope you begin having a better day. I couldn’t really figure out any other real reason as to why you would be so bitter towards us outside of a simple mistake that many have made (and many will continue to make).

There are still a few options, unfortunately with brute-force attacks even once the targeted content is disabled or moved the requests are still being processed (just with errors this time around). It’s a big pain as you know since it begins to hog up bandwidth and resources.

Once you have exhausted the options typically used to mitigate/slow down these attacks such as disabling content, password protecting, limiting access to login by ip, deny by no referrer, modsec, fail2ban, proxying, and big powerful blocklists there are a few more options to use outside of blackhole routing (I’m sure you don’t want to do that).

Have you tried nginx’s limit req module? If not I’ll see about typing something up for you as our previous linking was frowned upon.

There is also a method that is likely also frowned upon here which I will not post to prevent further negative attention. But to give you an idea… the attacks lifespan is dependent on the size of a wordlist used or brute-force style chosen. Outside of waiting the attack out there are ways of thwarting the attack buy using a weakness in the bot’s willingness to accept certain responses to your advantage.

I’d suggest the limit req module approach however, so if you haven’t tried it then give it a quick google. you may very well be able to address this in a few minutes if the other options I posted a few paragraphs ago have been attempted unsuccessfully.

WP Community, @andrew, and @scott,

Please allow me to take a moment to apologize if any offense was taken or if any rules have been broken. I assure you that only the best intentions were in place.

No access was requested, nor provided. In addition no requests for services above and beyond what is provided here on the forum was suggested.

Not everyone wishes for their information to be shared publicly, simply trying to respect that. Especially considering, it’s well known that bots scrape forums like these for potential targets.

Again, apologies for any issues.

@andrew,

I’ve asked Scott some specific questions that he may not want to specifically provide publicly. Once our conversation has completed, I’m more than willing to share the verdict reached here on the thread.

Hey Scott,

If you’re currently using cloudflare (on high), currently denying IP addresses via nginx and are still receiving notifications that login attempts are being made there’s a possibility those are delayed messages still trickling in. However, if they are live and accurate notifications you may have something more serious on your hands.

[Moderated]