Botnet Attacks WordPress Website

Read this article here

Botnet Attack on WordPress Website

What appeared to be a botnet attacked one of my sites ( this morning in a brute-force wp-login attempt from multiple IP addresses. This was the most coordinated attack against any of my sites I’ve experienced. Usually the hacker bots I see use up to 6 IP’s in these attacks – 146 IPs is serious stuff…

146 IP’s Used in Simultaneous Attack. The IP’s listed are the guilty parties to this brute-force login attack on the site. The main attack started at 05h09 GMT this morning (November 25, 2012) and continued until 05h15 GMT. A second but less intense attacked followed; starting from 05h16 GMT tailing off until ending at 05h43 GMT

About Mike

Web Developer and Techno-geek Saltwater fishing nut Blogger

Posted on November 25, 2012, in Internet Security, Websites and tagged , , , , , , , , , , . Bookmark the permalink. 2 Comments.

  1. @KalanStar
    Considering the seriousness of the attack, I think you need to stop requests from those IPs at firewall level – before they get to your site. If you don’t have your own dedicated server, then you need to discuss this with the hosting company’s technicians.

    IPs blocked at the firewall won’t use your sites resources. They other thing they could do is add a filter to slow down repeat requests. IOW – set a time limit on requests from the same IP – but this can cause a whole lot of other performance issues – e.g. visitors (and admins) switching quickly between pages get server errors

    I’m not to familiar with WordFence – looking at the literature it appears WordFence IP blocking is an active system – in other words it uses WordPress and checks IP’s against the database (I may be wrong).
    I prefer to use .htaccess for IP blocking. It’s lighter on server resources, although a long block list can add a few milliseconds to page loads as the server reads the file every time. (My standard .htaccess file has around 1400 “deny from” entries, and my Drupal business site pages still load under 1 second)

    The correct syntax for blocking an IP e.g. is
    deny from

    The deny section starts (using the above example)

    order allow,deny
    allow from all

    deny from
    deny from (denies the entire block)
    deny from (next IP)

    It’s not too critical where the section is placed – nearer the top after other rules is OK, but for convenience I usually add the blocks after the WordPress (# END WordPress) or other CMS stuff – at the end of the file

    Best to do this from CPanel or whichever file manager you have – PC text editors can code the file incorrectly. Make a backup of the original file first in case you get something wrong and it breaks your site. CPanel has an IP deny tool, which is easy to use.

    Hope this helps

  2. Any update on how you dealt with this? One of my WP sites is suffering from a huge botnet attack. About 10 login names are being used and 9 of them are invalid and the ip’s are auto locked out from login. Still, at least 1 per second attempts to log in. This has been going on for 12 hours! So far thousands of IP’s have been blocked, but there are thousands more still trying. Since I’m using Wordfence and adding the ones using invalid names to the banned list, it requires virtual memory which has been maxed for hours effectively crashing the site. In response I’ve moved all the files for the site out pf public_html for the time being hoping the bots will quit….

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: