{"id":9834,"date":"2013-04-12T17:17:27","date_gmt":"2013-04-12T22:17:27","guid":{"rendered":"http:\/\/bucktownbell.com\/?p=9834"},"modified":"2013-04-12T23:46:46","modified_gmt":"2013-04-13T04:46:46","slug":"global-wordpress-brute-force-flood","status":"publish","type":"post","link":"http:\/\/bucktownbell.com\/?p=9834","title":{"rendered":"Global WordPress Brute Force Flood"},"content":{"rendered":"<blockquote><p>As I type these words, there is an on-going and highly-distributed, global attack on WordPress installations across virtually every web host in existence. This attack is well organized and again very, very distributed; we have seen over 90,000 IP addresses involved in this attack.<\/p><\/blockquote>\n<p>via <a href=\"http:\/\/blog.hostgator.com\/2013\/04\/11\/global-wordpress-brute-force-flood\/\">Global WordPress Brute Force Flood | HostGator Web Hosting Blog | Gator Crossing<\/a>.<\/p>\n<p>This wordpress blog has been receiving these attacks since around the beginning of the year.\u00a0\u00a0 Getting rid of the admin account is a first step and using strong passwords is a second, I chose to just shut down access from the Internet entirely by disabling the wp-admin directory and wp-login.php access in httpd.conf.\u00a0\u00a0 That may not be practical for most sites however.\u00a0 The error logs were getting quiet in the last 3 or 4 weeks and then this week they&#8217;re back up to full speed blocking with IPs from ranges all over the place.\u00a0\u00a0 It looks like I&#8217;m not the only one experiencing this according to <a href=\"http:\/\/blog.cloudflare.com\/patching-the-internet-fixing-the-wordpress-br\">here<\/a> and <a href=\"http:\/\/techcrunch.com\/2013\/04\/12\/hackers-point-large-botnet-at-wordpress-sites-to-steal-admin-passwords-and-gain-server-access\/\">here<\/a>.<\/p>\n<p><strong>Update<\/strong>:\u00a0 From my observations of the logs over these last few months these bots are hitting the sites very patiently, sometimes once an hour thus running under the radar of the security plug ins I tried.<\/p>\n<p><strong>Update II<\/strong>: More links <a href=\"http:\/\/www.siliconrepublic.com\/strategy\/item\/32269-major-brute-force-attack\/\">here<\/a>, <a href=\"http:\/\/krebsonsecurity.com\/2013\/04\/brute-force-attacks-build-wordpress-botnet\/\">here<\/a>, and from <a href=\"http:\/\/kb.liquidweb.com\/wordpress-modsecurity-rules\/\">here<\/a>:<\/p>\n<blockquote><p>These rules will block access for the offending IP address for 5 minutes upon 10 failed login attempts over a 3 minute duration.<\/p><\/blockquote>\n<p>This won&#8217;t work.\u00a0 Each IP from these bots may hit you once or twice an hour so any limit login plugin won&#8217;t detect them at any rate to ban them.\u00a0 You can&#8217;t stop this on an IP basis.\u00a0 Since my logs last rotated Sunday morning (almost 6 days ago) I have had 500 different IP addresses hit wp-login.php.\u00a0 They all have been given 403 Forbidden responses yet they keep coming.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>As I type these words, there is an on-going and highly-distributed, global attack on WordPress installations across virtually every web host in existence. This attack is well organized and again very, very distributed; we have seen over 90,000 IP addresses &hellip; <a href=\"http:\/\/bucktownbell.com\/?p=9834\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[284],"tags":[101,869,131],"class_list":["post-9834","post","type-post","status-publish","format-standard","hentry","category-servers","tag-security","tag-web-security","tag-wordpress"],"_links":{"self":[{"href":"http:\/\/bucktownbell.com\/index.php?rest_route=\/wp\/v2\/posts\/9834","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/bucktownbell.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/bucktownbell.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/bucktownbell.com\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"http:\/\/bucktownbell.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=9834"}],"version-history":[{"count":8,"href":"http:\/\/bucktownbell.com\/index.php?rest_route=\/wp\/v2\/posts\/9834\/revisions"}],"predecessor-version":[{"id":9843,"href":"http:\/\/bucktownbell.com\/index.php?rest_route=\/wp\/v2\/posts\/9834\/revisions\/9843"}],"wp:attachment":[{"href":"http:\/\/bucktownbell.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=9834"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/bucktownbell.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=9834"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/bucktownbell.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=9834"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}