As I type these words, there is an on-going and highly-distributed, global attack on WordPress installations across virtually every web host in existence. This attack is well organized and again very, very distributed; we have seen over 90,000 IP addresses involved in this attack.
This wordpress blog has been receiving these attacks since around the beginning of the year. Getting rid of the admin account is a first step and using strong passwords is a second, I chose to just shut down access from the Internet entirely by disabling the wp-admin directory and wp-login.php access in httpd.conf. That may not be practical for most sites however. The error logs were getting quiet in the last 3 or 4 weeks and then this week they’re back up to full speed blocking with IPs from ranges all over the place. It looks like I’m not the only one experiencing this according to here and here.
Update: From my observations of the logs over these last few months these bots are hitting the sites very patiently, sometimes once an hour thus running under the radar of the security plug ins I tried.
These rules will block access for the offending IP address for 5 minutes upon 10 failed login attempts over a 3 minute duration.
This won’t work. Each IP from these bots may hit you once or twice an hour so any limit login plugin won’t detect them at any rate to ban them. You can’t stop this on an IP basis. Since my logs last rotated Sunday morning (almost 6 days ago) I have had 500 different IP addresses hit wp-login.php. They all have been given 403 Forbidden responses yet they keep coming.