Brute Force Attack

Defending Against A Massive WordPress Brute Force Attack

Brute Force Attack

Over the last few days there has been quite a bit of media attention on a very large attack against self-hosted WordPress sites. As the largest host of WordPress powered sites in Ireland we were impacted as well and have been tracking this attack closely.

Last Tuesday we began to see high load on a small number of our shared hosting servers, upon investigation we saw the cause was an unusual number of login requests to the admin section of WordPress sites. We began taking action to mitigate the impact on servers and gathering statistics on the scale of the attack.

It quickly became obvious the scale of this attack was far greater than the usual attacks we see on self-hosted WordPress sites and was the work of a large botnet.

Our technical team work around the clock to ensure servers and services remain online and work as expected. While many hosting companies began reporting the attack and took action at a server level, including  in some cases blocking access to wp-login,  we worked to mitigate the issue at a network level. This was due mainly to the large number of servers involved.

The attack slowed down on occasions during the week and then increased again with some characteristics changing to overcome the defence mechanisms that were put in place and for that reason we didn’t discuss the tactics we deployed to combat the attack.

By Friday afternoon the attack was no longer growing and the number of new IPs we were seeing had reduced greatly, the attack continued to slow at the weekend.

So here are some numbers and statistics that we are happy to share.

Over the week our Engineering team recorded over 10 million login attempts originating from over 190,000 IPs, of that we blocked 65,000 IPs from over 183 countries, from our network during the attack.

Top 30 – blocked IPs by country

13866 : BR, Brazil
6313 : TR, Turkey
2909 : MX, Mexico
2419 : IN, India
2252 : PL, Poland
2171 : ID, Indonesia
1862 : VN, Vietnam
1795 : AR, Argentina
1751 : KR, Korea, Republic of
1568 : RS, Serbia
1431 : GR, Greece
1392 : PT, Portugal
1366 : FR, France
1319 : TH, Thailand
1281 : EG, Egypt
1185 : VE, Venezuela
1118 : MA, Morocco
1035 : DZ, Algeria
907 : RU, Russian Federation
873 : CL, Chile
801 : BA, Bosnia and Herzegovina
796 : UA, Ukraine
775 : SA, Saudi Arabia
769 : ES, Spain
754 : RO, Romania
752 : IT, Italy
728 : CO, Colombia
569 : MY, Malaysia
527 : PE, Peru
475 : US, United States

While our Engineering team worked hard to protect our customers from this attack, customers need also ensure they are doing their part by keeping their websites up to date. This is  especially true of both WordPress and Joomla installs, and includes all plugins and themes. You should also ensure your passwords are complex and different from other accounts you use. If you don’t have a password policy then you should seriously consider implementing one ie. choosing secure passwords and changing them frequently.

(Original Image Chess from BigStockPhoto)

, , , , ,

44 Responses to Defending Against A Massive WordPress Brute Force Attack

  1. Boris April 15, 2013 at 16:31 #

    Dear Alan, God’s fool, what do you really know about WordPress update? We apreciate your useless general observations, but have you ever try to update three years old website with аbandonware theme. It is easier to create new from scratch or even… just update server’s firewall.

    So try harder man. Because It is your job.

    • Michele Neylon April 17, 2013 at 12:06 #

      Boris

      If you are running an out of date install of WordPress then you will need to update it.

      Thanks for your comment

      Michele

      • Boris April 22, 2013 at 11:01 #

        What the difference between two years old WordPress install (tested by thousands developers) and five years old homebrew CMS tested by author only? Why don’t you never ask this type of authors to update theirs full of holes CMS?

        Please, don’t tell me what I need (or should), because I am your client. And as client I tell you to update your firewall to protect me against brutforce atack, or we will find another service provider!

        And Yes I know what is it brutforce. I have enought high load and high availability experts in my teem.

        And if you have extra spendings on new firewall software or hardware you can ask wordpress users for extra charge if you wish. But you have never ever ask us throw out our time and sabotage our business projects because of your idleness. Remember this!