Botnet Attacks WordPress Website
Read this article here https://mikeontechnology.wordpress.com/2012/11/25/botnet-attacks-wordpress-website/
What appeared to be a botnet attacked one of my sites (tech.graphicline.co.za) this morning in a brute-force wp-login attempt from multiple IP addresses. This was the most coordinated attack against any of my sites I’ve experienced. Usually the hacker bots I see use up to 6 IP’s in these attacks – 146 IPs is serious stuff…
146 IP’s Used in Simultaneous Attack. The IP’s listed are the guilty parties to this brute-force login attack on the site. The main attack started at 05h09 GMT this morning (November 25, 2012) and continued until 05h15 GMT. A second but less intense attacked followed; starting from 05h16 GMT tailing off until ending at 05h43 GMT
Posted on November 25, 2012, in Internet Security, Websites and tagged Botnet, Brute-force attack, Hacker, Hacking, Hosting, Internet, Internet Security, IP Address, Security Alert, Security Risks, Spambot. Bookmark the permalink. 2 Comments.
Graphiclineweb 
@KalanStar
Considering the seriousness of the attack, I think you need to stop requests from those IPs at firewall level – before they get to your site. If you don’t have your own dedicated server, then you need to discuss this with the hosting company’s technicians.
IPs blocked at the firewall won’t use your sites resources. They other thing they could do is add a filter to slow down repeat requests. IOW – set a time limit on requests from the same IP – but this can cause a whole lot of other performance issues – e.g. visitors (and admins) switching quickly between pages get server errors
I’m not to familiar with WordFence – looking at the literature it appears WordFence IP blocking is an active system – in other words it uses WordPress and checks IP’s against the database (I may be wrong).
I prefer to use .htaccess for IP blocking. It’s lighter on server resources, although a long block list can add a few milliseconds to page loads as the server reads the file every time. (My standard .htaccess file has around 1400 “deny from” entries, and my Drupal business site pages still load under 1 second)
The correct syntax for blocking an IP e.g. 95.140.196.34 is
deny from 95.140.196.34
The deny section starts (using the above example)
order allow,deny
allow from all
deny from 95.140.196.34
deny from 85.0.0.0-85.255.255.255 (denies the entire block)
deny from (next IP)
It’s not too critical where the section is placed – nearer the top after other rules is OK, but for convenience I usually add the blocks after the WordPress (# END WordPress) or other CMS stuff – at the end of the file
Best to do this from CPanel or whichever file manager you have – PC text editors can code the file incorrectly. Make a backup of the original file first in case you get something wrong and it breaks your site. CPanel has an IP deny tool, which is easy to use.
Hope this helps
Any update on how you dealt with this? One of my WP sites is suffering from a huge botnet attack. About 10 login names are being used and 9 of them are invalid and the ip’s are auto locked out from login. Still, at least 1 per second attempts to log in. This has been going on for 12 hours! So far thousands of IP’s have been blocked, but there are thousands more still trying. Since I’m using Wordfence and adding the ones using invalid names to the banned list, it requires virtual memory which has been maxed for hours effectively crashing the site. In response I’ve moved all the files for the site out pf public_html for the time being hoping the bots will quit….