WP sites undergoing Brute Force Attack

[2ndmouse]

I am advised by my service provider (FASTVISION) that Wordpress sites around the globe are currently undergoing a "Brute Force Attack", since 12April.

As a precaution, they are adding an extra layer of security to all WordPress login pages in the form of an additional login dialog.

Has anyone else heard of this attack?

[Pullo]

Hi,

I read about this on the BBC: http://www.bbc.co.uk/news/technology-22152296

Also, on Friday, when I tried to login to my WP backend, it returned a 501 for about two hours.
I phoned my provider and they said that many of their WP customers were reporting this and had no idea what was causing it.
No idea if it was related.

[guido2004]

It could well be related. One of my providers has added an additional login as well to shield off the WP admin login from this attack.

[Pullo]

It could well be related. One of my providers has added an additional login as well to shield off the WP admin login from this attack.

Yeah, they weren't giving very much away when I spoke to them, so it's hard to tell.

I'm pretty paranoid when it comes to security and when setting any WP site, I follow most, if not all of the recommendations to tighten the security (e.g. delete the user "admin", alter the default table prefix, change the file permissions accordingly, and so on ...)

This takes quite a bit of effort at the time, but is invariably worth it when things like this pop up.

[xhtmlcoder]

Brian Krebs (KrebsOnSecurity) did a Blog article on this several days back: Brute Force Attacks Build WordPress Botnet.

[Force Flow]

I haven't noticed anything on my wordpress sites, and there hasn't been an abnormally high number of IP lockouts.

From what I read earlier, the attacks seemed to focus on the hostgator and LiquidWeb hosting providers.

I'm not using either.

[felgall]

I'm pretty paranoid when it comes to security and when setting any WP site, I follow most, if not all of the recommendations to tighten the security (e.g. delete the user "admin", alter the default table prefix, change the file permissions accordingly, and so on ...)

This takes quite a bit of effort at the time, but is invariably worth it when things like this pop up.

If you go to http://bit51.com/software/better-wp-security/ and install that plugin into your WordPress site it can automatically apply all the changes you mention and many more security measures in just a couple of mouse clicks.

[Pullo]

If you go to http://bit51.com/software/better-wp-security/ and install that plugin into your WordPress site it can automatically apply all the changes you mention and many more security measures in just a couple of mouse clicks.

Yeah, I had done that already (paranoid, see )
I also recommend the Login Lockdown plugin which can protect against the kind of attack in question.
I know the plugin page says it hasn't been updated in a while, but it still works exactly as it should.

[felgall]

Yeah, I had done that already (paranoid, see )
I also recommend the Login Lockdown plugin which can protect against the kind of attack in question.
I know the plugin page says it hasn't been updated in a while, but it still works exactly as it should.

From what I can see the functionality in the better-wp-security plugin includes the functionality of the login-lockdown plugin - I get quite a few emails from the security plugin advising me that certain users have been locked out for a period of time due to too many invalid login attempts having been made. Or have I overlooked something?

[EastCoast]

I always put an additional .htaccess login on the admin directory. Simple and effective.

[Slackr]

Yeah, I had done that already (paranoid, see )
I also recommend the Login Lockdown plugin which can protect against the kind of attack in question.
I know the plugin page says it hasn't been updated in a while, but it still works exactly as it should.

From what I understand about this attack Login Lockdown will not protect users. They're using a botnet of up to 90k and so IP addresses are changing too frequently for the lockouts of a single IP to be effective. Better WP Security includes some more features that better protect websites (eg, changing the default user ID=1).

Also this is not just targeted at particular hosts. I'm sitting at the bottom of the world and using a local hosting company and seeing the evidence of these attacks over the last 30 or so hours. I'm using Wordfence and can see the login attempts and also the fact that they are changing too rapidly to be being blocked by the lock-out type functions of these plugins.

[Pullo]

From what I can see the functionality in the better-wp-security plugin includes the functionality of the login-lockdown plugin - I get quite a few emails from the security plugin advising me that certain users have been locked out for a period of time due to too many invalid login attempts having been made. Or have I overlooked something?

No, sorry, I did.
I have quite a few sites running WP and the ones that keep emailing me that users have been locked out are running better-wp-security, not login lockdown.
I do use login lockdown on one site, but this is a site that I have only shared with some family and friends and has thus stayed off the hackers radar.

I'm using Wordfence and can see the login attempts and also the fact that they are changing too rapidly to be being blocked by the lock-out type functions of these plugins.

I've not tried WordFence yet, so thanks for the recommendation.
I'll have a look at this for the next WP site that comes up.
better-wp-security also logs failed login attempts (as felgall mentioned) and I've been quite happy with it so far, but it's always good to know what else is out there.

[2ndmouse]

Just wondering if any of you guys have received info from your service provider as to when this attack might end. It's 6 days since it started and the extra login is still in place on my WP sites. My service provider tells me that they don't know how long this attack will last - are you guys getting the same feedback? Apparently, there's around 100,000 compromised machines working on behalf of the hackers.