Over the past day or so I’ve seen close to 1,000 brute force login attempts at my own WordPress sites originating from botnets. Other sites are being hit even harder.
After analyzing the data I have, I’ve determined that there are two separate and distinct attackers, and Bad Behavior is successfully blocking 100% of attempts from both of them.
I got an email from Liquid Web early this morning, for instance, referencing the attacks. In this case they
wrote borrowed a custom mod_security rule to do what fail2ban already does (but better). If you can’t use fail2ban, you might be able to use their mod_security rule in your .htaccess, depending on your web hosting provider. Unfortunately, since the rule is dependent on IP address, and these attackers are frequently changing IPs, it may not help all that much.
At present, Bad Behavior is the only known tool which is blocking 100% of these attacks out of the box. If you aren’t already using Bad Behavior…
These attacks appear to be originating from two distinct botnets, each with its own distinguishing characteristics. One of them gave little clue as to its command and control stucture, but a spot check of some of the IP addresses indicates that the zombies are likely compromised web servers. The other wasn’t a botnet per se, but one person sending a large number of requests through open Mikrotik and other proxy servers – most of which happily also sent along his IP address, 220.127.116.11. This appears to be registered to a mobile phone in the Ukraine. Oops! Update: Looks like this guy has moved on to 18.104.22.168. He apparently still doesn’t realize that the open proxy servers are sending along his IP address.
The two attackers are distinguishable in that the botnet attacker is sending only the login and password fields in its POST requests, while the idiot on the mobile phone is also sending three other key/value pairs which are present in the WordPress login form.
In both cases, the attacks attempt random passwords and passwords with patterns such as
123123. If you have a password that might have such a pattern in it, you should change it immediately.
See also Hardening WordPress for more things you can do to keep your WordPress site secure.