Defending Against A Massive Wordpress Brute Force Attack

View Larger Image

Defending Against A Massive WordPress Brute Force Attack

Over the last few days there has been quite a bit of media attention on a very large attack against self-hosted WordPress sites. As the largest host of WordPress powered sites in Ireland we were impacted as well and have been tracking this attack closely.

Last Tuesday we began to see high load on a small number of our shared hosting servers, upon investigation we saw the cause was an unusual number of login requests to the admin section of WordPress sites. We began taking action to mitigate the impact on servers and gathering statistics on the scale of the attack.

It quickly became obvious the scale of this attack was far greater than the usual attacks we see on self-hosted WordPress sites and was the work of a large botnet.

Our technical team work around the clock to ensure servers and services remain online and work as expected. While many hosting companies began reporting the attack and took action at a server level, including in some cases blocking access to wp-login, we worked to mitigate the issue at a network level. This was due mainly to the large number of servers involved.

The attack slowed down on occasions during the week and then increased again with some characteristics changing to overcome the defence mechanisms that were put in place and for that reason we didn’t discuss the tactics we deployed to combat the attack.

By Friday afternoon the attack was no longer growing and the number of new IPs we were seeing had reduced greatly, the attack continued to slow at the weekend.

So here are some numbers and statistics that we are happy to share.

Over the week our Engineering team recorded over 10 million login attempts originating from over 190,000 IPs, of that we blocked 65,000 IPs from over 183 countries, from our network during the attack.

Top 30 – blocked IPs by country

13866 : BR, Brazil
6313 : TR, Turkey
2909 : MX, Mexico
2419 : IN, India
2252 : PL, Poland
2171 : ID, Indonesia
1862 : VN, Vietnam
1795 : AR, Argentina
1751 : KR, Korea, Republic of
1568 : RS, Serbia
1431 : GR, Greece
1392 : PT, Portugal
1366 : FR, France
1319 : TH, Thailand
1281 : EG, Egypt
1185 : VE, Venezuela
1118 : MA, Morocco
1035 : DZ, Algeria
907 : RU, Russian Federation
873 : CL, Chile
801 : BA, Bosnia and Herzegovina
796 : UA, Ukraine
775 : SA, Saudi Arabia
769 : ES, Spain
754 : RO, Romania
752 : IT, Italy
728 : CO, Colombia
569 : MY, Malaysia
527 : PE, Peru
475 : US, United States

While our Engineering team worked hard to protect our customers from this attack, customers need also ensure they are doing their part by keeping their websites up to date. This is especially true of both WordPress and Joomla installs, and includes all plugins and themes. You should also ensure your passwords are complex and different from other accounts you use. If you don’t have a password policy then you should seriously consider implementing one ie. choosing secure passwords and changing them frequently.

(Original Image Chess from BigStockPhoto)

By Alan O'Reilly|2013-04-15T16:04:37+01:00April 15th, 2013|Categories: Hosting, network, security, Service Issue, WordPress|Tags: Botnet, Brute-force attack, IP Address, ireland, Joomla, wordpress|42 Comments

About the Author: Alan O'Reilly

Alan is a senior systems engineer with blacknight who also supervises the support team, Alan has worked in many different sectors of the I.T industry for over 10 years ranging from large Multi Nationals to Indigenous SME firms before joining Blacknight in July of 2011. Outside of Work Alan's main passion is the weather, he has his own professional weather station which provides local weather information.

42 Comments

blacknight April 15, 2013 at 15:58

Defending Against A Massive WordPress Brute Force Attack: http://t.co/rhwZRArgqB
donenda April 15, 2013 at 16:00

RT @blacknight: Defending Against A Massive WordPress Brute Force Attack: http://t.co/VfwqhR66jv #edchatie #heie
Ciaran Whyte April 15, 2013 at 16:04

Is the attack still on going?
CarlowWeather April 15, 2013 at 16:04

RT @blacknight: Defending Against A Massive WordPress Brute Force Attack: http://t.co/rhwZRArgqB
David Kirwan April 15, 2013 at 16:25

Fair play to the Engineering team! 🙂
Bryan Kelly April 15, 2013 at 16:26

Bryan Kelly liked this on Facebook.
Tommy Cowap April 15, 2013 at 16:26

Tommy Cowap liked this on Facebook.
Robbie Dover April 15, 2013 at 16:26

Robbie Dover liked this on Facebook.
Jonny Figgis April 15, 2013 at 16:26

Jonny Figgis liked this on Facebook.
David Kirwan April 15, 2013 at 16:26

David Kirwan liked this on Facebook.
Ciaran Whyte April 15, 2013 at 16:26

Ciaran Whyte liked this on Facebook.
Miroslav Mitrovic April 15, 2013 at 16:26

Miroslav Mitrovic liked this on Facebook.
Boris April 15, 2013 at 16:31

Dear Alan, God’s fool, what do you really know about WordPress update? We apreciate your useless general observations, but have you ever try to update three years old website with аbandonware theme. It is easier to create new from scratch or even… just update server’s firewall.

So try harder man. Because It is your job.
- Michele Neylon April 17, 2013 at 12:06
  
  Boris
  
  If you are running an out of date install of WordPress then you will need to update it.
  
  Thanks for your comment
  
  Michele
  - Boris April 22, 2013 at 11:01
    
    What the difference between two years old WordPress install (tested by thousands developers) and five years old homebrew CMS tested by author only? Why don’t you never ask this type of authors to update theirs full of holes CMS?
    
    Please, don’t tell me what I need (or should), because I am your client. And as client I tell you to update your firewall to protect me against brutforce atack, or we will find another service provider!
    
    And Yes I know what is it brutforce. I have enought high load and high availability experts in my teem.
    
    And if you have extra spendings on new firewall software or hardware you can ask wordpress users for extra charge if you wish. But you have never ever ask us throw out our time and sabotage our business projects because of your idleness. Remember this!
Patrick L Jones April 15, 2013 at 17:56

Patrick L Jones liked this on Facebook.
Michael Leahy April 15, 2013 at 18:06

What are the attacks trying to achieve?
destaic April 15, 2013 at 18:38

“@blacknight: Defending Against A Massive WordPress Brute Force Attack: http://t.co/f1uzGDIxnX” @OrlaWalshKav
Michael Leahy April 15, 2013 at 19:12

Michael Leahy liked this on Facebook.
Philip Clarke April 15, 2013 at 21:27

Philip Clarke liked this on Facebook.
Bob Hutchison April 16, 2013 at 01:42

Bob Hutchison liked this on Facebook.
Anka Andjelkovic April 16, 2013 at 09:56

Anka Andjelkovic liked this on Facebook.
Rafael Jimenez April 16, 2013 at 09:56

Rafael Jimenez liked this on Facebook.
Mihai Suflet de Inger April 16, 2013 at 09:56

Mihai Suflet de Inger liked this on Facebook.
Ian Devoy April 16, 2013 at 09:56

Ian Devoy liked this on Facebook.
Adelino Saldanha April 16, 2013 at 09:56

Adelino Saldanha liked this on Facebook.
Leotrim Oruqi April 16, 2013 at 09:56

Leotrim Oruqi liked this on Facebook.
Liesa Maziid April 16, 2013 at 09:56

Liesa Maziid liked this on Facebook.
Marco Ferreira April 16, 2013 at 09:56

Marco Ferreira liked this on Facebook.
Rachel McIlkenny April 16, 2013 at 09:56

Rachel McIlkenny liked this on Facebook.
srleks April 16, 2013 at 12:10

@singirs @informacijars http://t.co/q9oMKaSiO8 #serbia #malware #security
InformacijaRS April 16, 2013 at 12:24

Novi detalji o napadima na WordPress RT @srleks : @singirs @informacijars http://t.co/aTfla0TyBp … #serbia #malware #security
RoxyOBrien April 16, 2013 at 13:15

Defending Against A Massive WordPress Brute Force Attack http://t.co/VE3qDsTPpK via @blacknight
Blacknight April 16, 2013 at 13:53

Take over the WP installs and then use them to attack other servers .. it’s just part of a bigger attack
blacknight April 16, 2013 at 15:07

Defending Against A Massive WordPress Brute Force Attack http://t.co/62aSkJbkxn << some data from our technical team
darrenmeehan April 16, 2013 at 15:20

RT @blacknight: Defending Against A Massive WordPress Brute Force Attack http://t.co/62aSkJbkxn << some data from our technical team
Michael Leahy April 16, 2013 at 15:26

Wow. Thanks – it’s worth spreading the info. Back-ups and password changes are in order, I’d say.
hostnews April 17, 2013 at 10:32

Defending Against A Massive WordPress Brute
http://t.co/mCiZAA65WO
blacknight April 17, 2013 at 16:45

Defending Against A Massive WordPress Brute Force Attack http://t.co/62aSkJbkxn << attack is still ongoing
MaloneProjects April 17, 2013 at 16:52

RT @blacknight: Defending Against A Massive WordPress Brute Force Attack http://t.co/62aSkJbkxn << attack is still ongoing
noyoDigital April 17, 2013 at 17:00

RT @blacknight: Defending Against A Massive WordPress Brute Force Attack http://t.co/62aSkJbkxn << attack is still ongoing
Philip Clarke April 17, 2013 at 21:55

Guys, its info like this that lets me know were in good hands, nice one 🙂

Comments are closed.

Defending Against A Massive WordPress Brute Force Attack