Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


ForumsIT Pro and developersWordpress attempted logins - hugely increased October 2015
timmmay

20579 posts

Uber Geek

Trusted
Lifetime subscriber

#181305 10-Oct-2015 07:21
Send private message

I run half a dozen Wordpress websites, all on the same server, most behind CloudFlare free. I used to get maybe one admin login attempt per month, right now I'm getting half a dozen a day. I run a plugin that locks people out using various criteria, such as trying to login with a username that doesn't exist (like admin), to many login attempts, etc, plus of course all default usernames and passwords are changed. The login attempts are coming from Russia, the Ukraine, and now Detroit. I set up CloudFlare to challenge everyone in Russia and The Ukraine before they can get to the website.

Anyone else seeing more login attempts on their site?

View this topic in a long page with up to 500 replies per page Create new topic
 1 | 2
Noodles
487 posts

Ultimate Geek


  #1404478 12-Oct-2015 15:58
Send private message

Might be related to this: https://blog.sucuri.net/2015/10/brute-force-amplification-attacks-against-wordpress-xmlrpc.html



jarledb
Webhead
3257 posts

Uber Geek

Moderator
ID Verified
Trusted
Lifetime subscriber

  #1404485 12-Oct-2015 16:16
Send private message

WordPress is an interesting target for hackers. Lots of sites and many with low security levels.

I would recommend Jetpacks brute force protection. Just looking at single ip-addresses and login attempts when you have attacks from botnets (so every attempt comes from a new ip-address and from all over the world) is completely useless. You need something that can see distributed attacks.

In Jetpack you will find it in the Jetpack panel under Performance & Security and you want to check the "Protect" option, which will stop distributed brute force attacks.




Jarle Dahl Bergersen | Referral Links: Want $50 off when you join Octopus Energy? Use this referral code
Are you happy with what you get from Geekzone? Please consider supporting us by making a donation or subscribing.

timmmay

20579 posts

Uber Geek

Trusted
Lifetime subscriber

  #1404524 12-Oct-2015 17:17
Send private message

I have another plugin that does that, thanks jarledb, that's how I know about the attacks. I don't know if they're high volume as they're fronted by CloudFlare and they get locked out as soon as they try an invalid username.

I read an interesting article today saying many sites using cloudflare are still directly accessible, and the IP address is easily discoverable through subdomain IPs (eg ftp.domain.com) or the server sometimes sends it back. Interesting.



ubergeeknz
3344 posts

Uber Geek

Trusted
Vocus

  #1404533 12-Oct-2015 17:24
Send private message

timmmay: I have another plugin that does that, thanks jarledb, that's how I know about the attacks. I don't know if they're high volume as they're fronted by CloudFlare and they get locked out as soon as they try an invalid username.

I read an interesting article today saying many sites using cloudflare are still directly accessible, and the IP address is easily discoverable through subdomain IPs (eg ftp.domain.com) or the server sometimes sends it back. Interesting.


True, it's a good idea if you're using CF to configure your server to only accept connections from their servers.  That way nobody can bypass them.  You can generally do it with an .htaccess file or similar.

https://www.cloudflare.com/ips

mattwnz
20153 posts

Uber Geek


  #1404563 12-Oct-2015 18:25
Send private message

It maybe the quality of the hosting and where the hosting is based. I have some wordpress sites hosted on a  cheap host in the US, and they are regularly blocking login attempts. Up to 5 a day. While I have some other sites with similar setups, hosted on a NZ based server, and they don't have this problem.

timmmay

20579 posts

Uber Geek

Trusted
Lifetime subscriber

  #1404606 12-Oct-2015 19:46
Send private message

ubergeeknz:
timmmay: I have another plugin that does that, thanks jarledb, that's how I know about the attacks. I don't know if they're high volume as they're fronted by CloudFlare and they get locked out as soon as they try an invalid username.

I read an interesting article today saying many sites using cloudflare are still directly accessible, and the IP address is easily discoverable through subdomain IPs (eg ftp.domain.com) or the server sometimes sends it back. Interesting.


True, it's a good idea if you're using CF to configure your server to only accept connections from their servers.  That way nobody can bypass them.  You can generally do it with an .htaccess file or similar.

https://www.cloudflare.com/ips


Yeah, it'd be pretty easy if I cared enough to bother.

mattwnz: It maybe the quality of the hosting and where the hosting is based. I have some wordpress sites hosted on a  cheap host in the US, and they are regularly blocking login attempts. Up to 5 a day. While I have some other sites with similar setups, hosted on a NZ based server, and they don't have this problem.


Could be to do with shared hosting with many sites I guess, one other site caught their attention. There's nothing on my site other than resources to use to send spam or similar.

muppet
2568 posts

Uber Geek

Trusted

  #1404633 12-Oct-2015 20:49
Send private message

I have mod_security.

No one ever tries to log into my sites :-(

 
 
 
 

Shop now for Lenovo laptops and other devices (affiliate link).
timmmay

20579 posts

Uber Geek

Trusted
Lifetime subscriber

  #1404641 12-Oct-2015 20:59
Send private message

Bit hard on shared hosting. I used mod_security for a site recently, it actually broke the site in various ways - registration didn't work and neither did a couple of functions. You have to be pretty careful how you use it. I wonder if it would stop repeated login attempts.

I use WordFence, the plugin.

muppet
2568 posts

Uber Geek

Trusted

  #1404654 12-Oct-2015 21:04
Send private message

You do have to be careful, yes.  I start off with a very small set of core rules and work out from there.  If you make the mistake of blindly throwing everything at it, it won't work.  You also have to remember it won't stop a determined attacker, just most of the automated crap.

timmmay

20579 posts

Uber Geek

Trusted
Lifetime subscriber

  #1404681 12-Oct-2015 21:40
Send private message

Don't suppose you have any guides to how to set it up? I just added all the OWASP core rules and took them away until it seemed to work... but it didn't work fully.

freitasm
BDFL - Memuneh
79270 posts

Uber Geek

Administrator
ID Verified
Trusted
Geekzone
Lifetime subscriber

  #1404682 12-Oct-2015 21:46
Send private message

ubergeeknz:
timmmay: I have another plugin that does that, thanks jarledb, that's how I know about the attacks. I don't know if they're high volume as they're fronted by CloudFlare and they get locked out as soon as they try an invalid username.

I read an interesting article today saying many sites using cloudflare are still directly accessible, and the IP address is easily discoverable through subdomain IPs (eg ftp.domain.com) or the server sometimes sends it back. Interesting.


True, it's a good idea if you're using CF to configure your server to only accept connections from their servers.  That way nobody can bypass them.  You can generally do it with an .htaccess file or similar.

https://www.cloudflare.com/ips


It won't prevent a DDoS if the attackers know the IP address - connections will drop but you still get flooded.

I would limit connections to their IPs only, if I wasn't scared of them adding one or more new IP addresses and our server being "invisible" to them until we add the new IPs.

The best option would obviously pay more and get the CF Raygun. But that's too much...




Please support Geekzone by subscribing, or using one of our referral links: Samsung | AliExpress | Wise | Sharesies | Hatch | GoodSyncBackblaze backup

freitasm
BDFL - Memuneh
79270 posts

Uber Geek

Administrator
ID Verified
Trusted
Geekzone
Lifetime subscriber

  #1408155 17-Oct-2015 10:49
Send private message

And Cloudflare now posted more information on that XMLRPC attack mentioned above.




Please support Geekzone by subscribing, or using one of our referral links: Samsung | AliExpress | Wise | Sharesies | Hatch | GoodSyncBackblaze backup

timmmay

20579 posts

Uber Geek

Trusted
Lifetime subscriber

  #1408156 17-Oct-2015 10:52
Send private message

Interesting. I wonder how many of the massive number of CloudFlare customers are paid customers... they must have some, they keep expanding. I suspect GZ is a paid customer.

freitasm
BDFL - Memuneh
79270 posts

Uber Geek

Administrator
ID Verified
Trusted
Geekzone
Lifetime subscriber

  #1408157 17-Oct-2015 10:54
Send private message

Yes, we use the Cloudflare paid service.




Please support Geekzone by subscribing, or using one of our referral links: Samsung | AliExpress | Wise | Sharesies | Hatch | GoodSyncBackblaze backup

Andib
1363 posts

Uber Geek

ID Verified
Trusted

  #1408168 17-Oct-2015 11:32
Send private message

It looks like there is a script out to exploit the XMLRPC attack, Both the wordpress sites I look after had a massive spike in logon attemps yesterday 

Click to see full size

Click to see full size




<# 
       .DISCLAIMER
       Anything I post is my own and not the views of my past/present/future employer.
#>

 1 | 2
View this topic in a long page with up to 500 replies per page Create new topic





News and reviews »

Air New Zealand Starts AI adoption with OpenAI
Posted 24-Jul-2025 16:00

eero Pro 7 Review
Posted 23-Jul-2025 12:07

BeeStation Plus Review
Posted 21-Jul-2025 14:21

eero Unveils New Wi-Fi 7 Products in New Zealand
Posted 21-Jul-2025 00:01

WiZ Introduces HDMI Sync Box and other Light Devices
Posted 20-Jul-2025 17:32

RedShield Enhances DDoS and Bot Attack Protection
Posted 20-Jul-2025 17:26

Seagate Ships 30TB Drives
Posted 17-Jul-2025 11:24

Oclean AirPump A10 Water Flosser Review
Posted 13-Jul-2025 11:05

Samsung Galaxy Z Fold7: Raising the Bar for Smartphones
Posted 10-Jul-2025 02:01

Samsung Galaxy Z Flip7 Brings New Edge-To-Edge FlexWindow
Posted 10-Jul-2025 02:01

Epson Launches New AM-C550Z WorkForce Enterprise printer
Posted 9-Jul-2025 18:22

Samsung Releases Smart Monitor M9
Posted 9-Jul-2025 17:46

Nearly Half of Older Kiwis Still Write their Passwords on Paper
Posted 9-Jul-2025 08:42

D-Link 4G+ Cat6 Wi-Fi 6 DWR-933M Mobile Hotspot Review
Posted 1-Jul-2025 11:34

Oppo A5 Series Launches With New Levels of Durability
Posted 30-Jun-2025 10:15








Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Updates »

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.







RSS feeds
Main feed
Forums feed
Copyright
©2002-2025 Geekzone®
Site features
Geekzone BI dashboard
Geekzone Badges
Geekzone Status Page

 

Affiliate links
Samsung
AliExpress
Wise
Sharesies
GoodSync
Site Information
Subscribe to Geekzone
Privacy Statement
Forum Usage Guidelines (FUG)
Advertising
Trademark and copyright