Page 1 of 1

WOrdpress attack last few days

Posted: 2019-02-04 02:45
by mattg
I noticed in my hMailserver logs that one sender was reaching my preset limit to sending mail (80 messages per day)

It was my my 'server' address used by a few of my servers to detail errors etc.

a bit of chasing, and a readjusted script to allow these messages to a specific address, and I find that a large number of IP addresses are trying to guess one of my WordPress sites admin user name and passwords.

WordPress firewall is blocking them after a couple of attempts, but so far there are hundreds of IPs being used and blocked...

Re: WOrdpress attack last few days

Posted: 2019-02-04 11:50
by SorenR
mattg wrote:
2019-02-04 02:45
I noticed in my hMailserver logs that one sender was reaching my preset limit to sending mail (80 messages per day)

It was my my 'server' address used by a few of my servers to detail errors etc.

a bit of chasing, and a readjusted script to allow these messages to a specific address, and I find that a large number of IP addresses are trying to guess one of my WordPress sites admin user name and passwords.

WordPress firewall is blocking them after a couple of attempts, but so far there are hundreds of IPs being used and blocked...
I use this...

https://wordpress.org/plugins/two-facto ... ntication/

and this...

https://play.google.com/store/apps/deta ... enticator2

and then they can keep guessing until...

Image

Re: WOrdpress attack last few days

Posted: 2019-02-04 13:12
by mattg
Yes, I'm a fan of TFA too... :D :D

Re: WOrdpress attack last few days

Posted: 2019-03-15 02:50
by mattg
Just a quick followup - I am still getting dozens of attempts per day, for the same domain, and few here and there for a couple of other domains.

It's been, what, six weeks of this rubbish now.

Re: WOrdpress attack last few days

Posted: 2019-03-15 04:47
by Dravion
Wordpress core without PlugIns is pretty stable, well tested and secure. But 1 crappy PlugIn can change the Situation completely, the same goes for Themes.

Re: WOrdpress attack last few days

Posted: 2019-03-15 05:15
by mattg
I wouldn't agree that a WP core install is secure.
However WP is far easier to protect than Drupal or ... just about anything else.

No-one is getting through, but they are trying, and from thousands of IP addresses, each one getting banned as they try and fail to log on.

Re: WOrdpress attack last few days

Posted: 2019-03-15 08:38
by Dravion
Among Wordpress Core and PlugIn Developers its well known that the core codebase isnt pretty and WP has no MVC Approach to seperate Code and Design more clearly, there is lots of code which is mixed with OOP and Non-OOP Code but its well Unit tested and anything is sanytized and escaped, it has CSRF Tokens and prevents XSS and Session fixatation and the Wordpress internal $wpdb Connection Object supports prepared Statements to avoid SQL InjectionS completely. But as said before: One crappy Plugin or Theme which doesnt use WPs Security Concept can rip the overall security Situation to shredds.

Re: WOrdpress attack last few days

Posted: 2019-03-20 08:20
by mattg
And since last night they are now trying with my name as username rather than the generic 'admin' type guesses.

I added a new domain last week, and there was three or four attempts for that domain almost immediately, but then they have gone back to my main domain (which is also my RDNS entry).

Since they have started to try with my name, I'm beginning to think that this is actually personal, and not some bot rubbish.

70+ IPs blocked overnight.

Re: WOrdpress attack last few days

Posted: 2019-03-20 11:46
by RashiR
WordPress is excellent at blocking spammers with so many plugin's.

Re: WOrdpress attack last few days

Posted: 2019-06-23 14:20
by Kendo
WordPress seems to be a popular target. I have a Windows server with no PHP or WordPress sites but most of the hits to it are looking for WordPress plugins to try and exploit.

It seems that someone has distributed software that many wanna-bees use trying to exploit web sites... I see similar request patterns over and over again by different users. I now have live tracking and can spot these nuisances at a glance. Started with 1400 unique visitors per day and after blocking networks with too many repeat offenders, the visitor count is now down to 800/day. So far I may have half of China blocked.

However a point to note is that many are posing as well known search engines. I started with a list of known IP addresses for the search engines and have since added to that list. I now have a script that emails when anyone posing as a search engine is not in my known IP list. Most fakers use Baidu but I do see some Yandex fakes as well.

Re: WOrdpress attack last few days

Posted: 2019-10-16 13:36
by karlpierce
WordPress is great at blocking spam. It has support for comments, registration, BuddyPress, and all major form plugins. And best of all, no annoying captchas! run 3