Massive Distributed Brute-Force WordPress Site Attack

MalwareIconOn Saturday morning, I awoke to several thousand messages in my inbox telling me of unsuccessful login attempts to “admin” for nearly all of my WordPress sites (I have over 50). I opened a ticket to my hosting company, and learned that I was not being singled out. There is an on-going, massive distributed brute-force login attack against WordPress sites in general which started sometime Friday evening.

The attack is known to be using spoofed IP addresses, so blocking by IP is relatively ineffective, although I did notice that the attacks diminished in number after I added about 3500 of the IPs to my .htaccess file. However, since they are spoofed, that means I have probably locked out several IPs of innocent bystanders.

Fortunately for me, most of the login attempts were either for “admin” or “administrator,” although there were several to the name of the blog.

Word to the wise: If your admin account is named admin, or administrator, or superuser, or any other easily-guessed admin name, you need to fix that. Go to your blog, log in, and create a different admin account. Log into your new admin account, and change the access of the old admin account to “No Role for this Site” and give it a very long, randomly-generated password (and don’t save it anywhere).

Your real admin account should also have a long, randomly-generated password, which you should store in a password manager like LastPass. There are other good ones, but LastPass is the one I use. They even have an affiliate program, but it’s only good for getting free premium access. Since I already pay the $12/year for LastPass premium, I don’t bother with the affiliate program.

Unfortunately, that only solves part of the problem. It’s pretty effective at preventing a successful admin login, but these attacks are automated, so they can use enough resources to noticeably degrade performance, or even take your site down. I have had both of those happen.

I’m currently using two other lines of defense. One is the “limit login attempts” plugin. I have it set to lock an IP for 10 hours if I detect four failed logins in a 24-hour period. After 4 lockouts, the time is increased to 9000 hours. I am rethinking that strategy in light of the fact that the current attacks are using spoofed IPs. The attacks come so fast that I sometimes see 12 to 15 lockouts on an IP, which means that the plugin was overwhelmed and didn’t get the 9000-hour lockout in place quickly enough.

The second line of defense is a plugin called “Stealth Login Page.” I believe that Stealth Login Page may be much more effective, at least in the near term. What it does is add an authorization code to the login page, which effectively lengthens your password. But better than that, it allows you to automatically redirect a failed login to another site. I chose to redirect my failed logins to a site of a anti-gay/racist/ultra-right-wingnut hate site. I couldn’t think of a site more appropriate for known malware traffic. So the script-kiddie can’t just bang on my site rapidly, but has to get back to my login page each time. If the script is dumb enough, it will simply start attacking the hate site instead of mine.

I’m thinking of getting a plugin written that will instantly block an IP for several minutes if it is used in an attempt to login to my admin account. This would slow down the script-kiddies by several orders of magnitude. At least, initially.

Don’t think that your site it not important enough to be attacked in this manner. What these criminals are after is growing a bigger malware botnet, so it doesn’t matter if you have a tiny niche blog with only 5 or 6 visitors/day — they want those, too. If you haven’t “hardened” your admin account, do that right now.

Image courtesy of
This entry was posted in Blogging. Bookmark the permalink.

Leave a Reply