Defending Against A Massive WordPress Brute Force Attack

Over the last few days there has been quite a bit of media attention on a very large attack against self-hosted WordPress sites. As the largest host of WordPress powered sites in Ireland we were impacted as well and have been tracking this attack closely.

Last Tuesday we began to see high load on a small number of our shared hosting servers, upon investigation we saw the cause was an unusual number of login requests to the admin section of WordPress sites. We began taking action to mitigate the impact on servers and gathering statistics on the scale of the attack.

It quickly became obvious the scale of this attack was far greater than the usual attacks we see on self-hosted WordPress sites and was the work of a large botnet.

Our technical team work around the clock to ensure servers and services remain online and work as expected. While many hosting companies began reporting the attack and took action at a server level, including  in some cases blocking access to wp-login,  we worked to mitigate the issue at a network level. This was due mainly to the large number of servers involved.

The attack slowed down on occasions during the week and then increased again with some characteristics changing to overcome the defence mechanisms that were put in place and for that reason we didn’t discuss the tactics we deployed to combat the attack.

By Friday afternoon the attack was no longer growing and the number of new IPs we were seeing had reduced greatly, the attack continued to slow at the weekend.

So here are some numbers and statistics that we are happy to share.

Over the week our Engineering team recorded over 10 million login attempts originating from over 190,000 IPs, of that we blocked 65,000 IPs from over 183 countries, from our network during the attack.

Top 30 – blocked IPs by country

13866 : BR, Brazil
6313 : TR, Turkey
2909 : MX, Mexico
2419 : IN, India
2252 : PL, Poland
2171 : ID, Indonesia
1862 : VN, Vietnam
1795 : AR, Argentina
1751 : KR, Korea, Republic of
1568 : RS, Serbia
1431 : GR, Greece
1392 : PT, Portugal
1366 : FR, France
1319 : TH, Thailand
1281 : EG, Egypt
1185 : VE, Venezuela
1118 : MA, Morocco
1035 : DZ, Algeria
907 : RU, Russian Federation
873 : CL, Chile
801 : BA, Bosnia and Herzegovina
796 : UA, Ukraine
775 : SA, Saudi Arabia
769 : ES, Spain
754 : RO, Romania
752 : IT, Italy
728 : CO, Colombia
569 : MY, Malaysia
527 : PE, Peru
475 : US, United States

While our Engineering team worked hard to protect our customers from this attack, customers need also ensure they are doing their part by keeping their websites up to date. This is  especially true of both WordPress and Joomla installs, and includes all plugins and themes. You should also ensure your passwords are complex and different from other accounts you use. If you don’t have a password policy then you should seriously consider implementing one ie. choosing secure passwords and changing them frequently.

(Original Image Chess from BigStockPhoto)