WOrdpress attack last few days

Forum for things that doesn't really have anything to do with hMailServer. Such as php.ini, beer, etc etc.
Post Reply
User avatar
mattg
Moderator
Moderator
Posts: 20132
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

WOrdpress attack last few days

Post by mattg » 2019-02-04 02:45

I noticed in my hMailserver logs that one sender was reaching my preset limit to sending mail (80 messages per day)

It was my my 'server' address used by a few of my servers to detail errors etc.

a bit of chasing, and a readjusted script to allow these messages to a specific address, and I find that a large number of IP addresses are trying to guess one of my WordPress sites admin user name and passwords.

WordPress firewall is blocking them after a couple of attempts, but so far there are hundreds of IPs being used and blocked...
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

User avatar
SorenR
Senior user
Senior user
Posts: 3190
Joined: 2006-08-21 15:38
Location: Denmark

Re: WOrdpress attack last few days

Post by SorenR » 2019-02-04 11:50

mattg wrote:
2019-02-04 02:45
I noticed in my hMailserver logs that one sender was reaching my preset limit to sending mail (80 messages per day)

It was my my 'server' address used by a few of my servers to detail errors etc.

a bit of chasing, and a readjusted script to allow these messages to a specific address, and I find that a large number of IP addresses are trying to guess one of my WordPress sites admin user name and passwords.

WordPress firewall is blocking them after a couple of attempts, but so far there are hundreds of IPs being used and blocked...
I use this...

https://wordpress.org/plugins/two-facto ... ntication/

and this...

https://play.google.com/store/apps/deta ... enticator2

and then they can keep guessing until...

Image
SørenR.

“With age comes wisdom, but sometimes age comes alone.”
- Oscar Wilde

User avatar
mattg
Moderator
Moderator
Posts: 20132
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: WOrdpress attack last few days

Post by mattg » 2019-02-04 13:12

Yes, I'm a fan of TFA too... :D :D
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

User avatar
mattg
Moderator
Moderator
Posts: 20132
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: WOrdpress attack last few days

Post by mattg » 2019-03-15 02:50

Just a quick followup - I am still getting dozens of attempts per day, for the same domain, and few here and there for a couple of other domains.

It's been, what, six weeks of this rubbish now.
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

User avatar
Dravion
Senior user
Senior user
Posts: 1435
Joined: 2015-09-26 11:50
Location: Germany
Contact:

Re: WOrdpress attack last few days

Post by Dravion » 2019-03-15 04:47

Wordpress core without PlugIns is pretty stable, well tested and secure. But 1 crappy PlugIn can change the Situation completely, the same goes for Themes.

User avatar
mattg
Moderator
Moderator
Posts: 20132
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: WOrdpress attack last few days

Post by mattg » 2019-03-15 05:15

I wouldn't agree that a WP core install is secure.
However WP is far easier to protect than Drupal or ... just about anything else.

No-one is getting through, but they are trying, and from thousands of IP addresses, each one getting banned as they try and fail to log on.
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

User avatar
Dravion
Senior user
Senior user
Posts: 1435
Joined: 2015-09-26 11:50
Location: Germany
Contact:

Re: WOrdpress attack last few days

Post by Dravion » 2019-03-15 08:38

Among Wordpress Core and PlugIn Developers its well known that the core codebase isnt pretty and WP has no MVC Approach to seperate Code and Design more clearly, there is lots of code which is mixed with OOP and Non-OOP Code but its well Unit tested and anything is sanytized and escaped, it has CSRF Tokens and prevents XSS and Session fixatation and the Wordpress internal $wpdb Connection Object supports prepared Statements to avoid SQL InjectionS completely. But as said before: One crappy Plugin or Theme which doesnt use WPs Security Concept can rip the overall security Situation to shredds.

User avatar
mattg
Moderator
Moderator
Posts: 20132
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: WOrdpress attack last few days

Post by mattg » 2019-03-20 08:20

And since last night they are now trying with my name as username rather than the generic 'admin' type guesses.

I added a new domain last week, and there was three or four attempts for that domain almost immediately, but then they have gone back to my main domain (which is also my RDNS entry).

Since they have started to try with my name, I'm beginning to think that this is actually personal, and not some bot rubbish.

70+ IPs blocked overnight.
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

RashiR
New user
New user
Posts: 1
Joined: 2019-03-20 11:42
Contact:

Re: WOrdpress attack last few days

Post by RashiR » 2019-03-20 11:46

WordPress is excellent at blocking spammers with so many plugin's.

Kendo
Normal user
Normal user
Posts: 86
Joined: 2015-07-08 23:33
Location: Rural Australia

Re: WOrdpress attack last few days

Post by Kendo » 2019-06-23 14:20

WordPress seems to be a popular target. I have a Windows server with no PHP or WordPress sites but most of the hits to it are looking for WordPress plugins to try and exploit.

It seems that someone has distributed software that many wanna-bees use trying to exploit web sites... I see similar request patterns over and over again by different users. I now have live tracking and can spot these nuisances at a glance. Started with 1400 unique visitors per day and after blocking networks with too many repeat offenders, the visitor count is now down to 800/day. So far I may have half of China blocked.

However a point to note is that many are posing as well known search engines. I started with a list of known IP addresses for the search engines and have since added to that list. I now have a script that emails when anyone posing as a search engine is not in my known IP list. Most fakers use Baidu but I do see some Yandex fakes as well.

Post Reply