Atomicorp

Hi,

Just looking for anyone else's experience in this.

I have perhaps 30 Wordpress sites which, either recently, or simply showing up recently because of the new web application rules from ASL, are experiencing multiple failed login attempts from outside sources.

These are distributed by source and by destination - i.e. no IP attacks twice, even on a different domain

The ASL rules are alerting to this and the brute-force rule shuns repeated offenders, but is this sufficient?

I could raise 377306 to level 7 and shun all failed logins immediately, but then risk the onslaught of customer contacts as they are shunned when they enter their password in wrong.


Anyone else seeing this? And perhaps overcome it?


Thanks

No-one else came across this? Or is it just something everyone's happy to allow ASL to do it's thing on?

What's happening is that a botnet is being used to initiate the logins. This causes them to be from a number of different IPs. We see this a lot. It seems to be the latest stratergy to avoid the simple "fail2ban" sort of blocking.

It isn't just wordpress. They do the same thing for email and FTP. And no doubt other types of common script. We mitigate it by blocking south america, eastern europe and the far east at the firewall level - these are the places most of the IPs are for the botnets that target our machines.

The problem is simply that if each IP is different, you can't do anything about it other than prevent logins to the site from all IPs, which would not be good because the admin would then be unable to login.

The solution is simple. 1) Make the password un-guessable and 2) potentially use .htaccess to add a first-level block on the admin directory 3) if the script allows it, don't use common usernames like admin for the admin user.

Thanks Faris, yeah - I assumed a botnet.

I'll look into geo-blocking for the most common areas.
Don't think that should effect any clients...

As for the other tips - thanks - but the buck lies with the end-user's details.
I always configure accounts with secure passwords, but with their ability to change the password to something more memorable (i.e. guessable!), I wouldn't trust them!

The .htaccess idea is a good one too... will just need to figure out which would be the least noticeable and least work/confusion for clients.

Is there a way to configure the rule so that if there is more than 3 failed login attempts to the wordpress admin that the ip gets grey listed for 30 minutes?

One of the big issues is that there are ALOT amateur web designers out there posing as "professional" wordpress developers without any idea of wordpress security so they simply set up wordpress out of the box with the "admin" username etc.

Then the sites are getting hacked and they are pointing the finger at us saying our server is not secure!!!

Is there a way to configure the rule so that if there is more than 3 failed login attempts to the wordpress admin that the ip gets grey listed for 30 minutes?

When you say greylisting, do you mean shunning or something else?

mikeshinn wrote:

Is there a way to configure the rule so that if there is more than 3 failed login attempts to the wordpress admin that the ip gets grey listed for 30 minutes?

When you say greylisting, do you mean shunning or something else?

I am not sure what "shunning" means but if they could be blocked for 30 minutes or some period of time, that would be good.

Thats what shunning means. The default is 10 minutes, you can certainly increase that or even disable expiration completely.