Botnet Attacks on WordPress
Latest Botnet Attacking WordPress wp-login.php
A botnet is currently attacking WordPress login (wp-login.php) with user name admin in a dDOS (Distributed Denial of Service) Brute Force attack intended to force the server and WordPress to allow the cyber-criminals access to the site
We’ve seen this botnet hammering some of our WordPress sites the last several days. So far we’ve seen attacks from the IPs listed below. (Note: These are only those used to attack our monitored sites – and the botnet will have more…
Be Pro-active and Defend Your WordPress Site
We strongly recommend all WordPress users take pro-active measures and add the list of IP’s to their .htaccess file. You can copy and paste the code below into your .htaccess file. I’ve included the comments #BOTNET BEGINS and #BOTNET ENDS so you can easily remove this block range when the threat from this botnet is over.
So far, all the attacks have a few things in common – the user agents (browser IDs). We’ve so far discovered these user agent agents;
- Mozilla/5.0 (Windows NT 6.1; rv:19.0) Gecko/20100101 Firefox/19.0
- Windows NT 6.1; rv:19.0) Gecko/20100101 Firefox/19.0
Note the minor difference – Mozilla 5/0 (missing from the second version.
You can use .htaccess rules to ban these user agents – they’re not official Firefox UA or Microsoft browser ids , but be careful – any syntax error and you could lock out all browsers using ‘Mozilla’ in the UA string. For most of us, a safer way is use a WordPress plugin e.g. VSF Simple Block or WP Ban to ban this browser ID.
Some people will argue blocking the user agent simply means the botnet will switch the attack to use another string – which is of correct, and blocking IPs means the cyber criminals will use other IPs to attack the site.
But we’re talking ‘Pro-Active’ prevention. If you have theses blocks in place – you’re slightly ahead of their game.
Our Results with the Recommended Bans:
On Thursday, 20 June, the botnet came back to the site with a dDoS attack from over 650 IP’s, and more than 2000 attempts in 5 minutes.
Nearly 600 of these IPs were stopped by IP deny rules in .htaccess receiving a 403 access denied by server message The remaining IPs were blocked by the user agent deny rules and redirected away from the WordPress site to a static HTML page on another server. Not a single attack reached the login page.
.htaccess Blocklist to Limit Latest Botnet Threat
Add the following to your .htacces file to prevent attack from these IP addresses that are part of this botnet. Follow this post to stay up to date – we will add newly discovered IPs as they are found
Details About IPs Used in Botnet wp-login Attack
The table provides information about the IPs used by the botnet to attack WordPress installations. Details incomplete – we don’t want to abuse our domain look-up service with hundreds of requests in a short time.
Will Your Site Stand Up to Botnet Attack
What happens when a botnet hits your WordPress blog or website with a dDOS attack on wp-login. Will your site and server stand up to the attack, or will you be left standing out in the cold with a crashed server or hacked site.
Will your server and WordPress CMS stand up to over 3000 attacks from 300 plus IPs in 5 minutes? Or will the hacker/cyber crime operation beat the system and add your site to distribute their malware?
- WordPress Brute Force attack spring 2013 (helge.b.uib.no)
- WordPress website targeted by hackers (bbc.co.uk)