Over the last few days many WordPress websites have encountered problems due to a massive distribute brute force attack on the wp-login.php script. The hackers are using a network (botnet) of compromised servers (bots) to repeatedly attempt to login to WordPress using common usernames and weak passwords. The botnet may contain as many as 90,000 unique IP addresses.
The scale of the attacks has created problems at some hosting companies:
IX Web Hosting
http://status.ixwebhosting.com/2013/04/11/global-server-wordpress-issues/
Hostgator
http://blog.hostgator.com/2013/04/11/global-wordpress-brute-force-flood/
Daniel Cid at Sucuri Blog discusses how these attacks have increased over the last few days:
http://blog.sucuri.net/2013/04/mass-wordpress-brute-force-attacks-myth-or-reality.html
There are a number of ways to mitigate the attacks including:
Password Protect wp-login.php
This is a good solution if you have a limited number of people who have to login to WordPress. Here are instructions from Hostgator on how to add password protection:
Other hosts and control panels should be similar.
Rename wp-login.php
This solution is technically more difficult but it will defeat the attack without inteferring with user logins. See the discussion here:
http://wordpress.org/support/topic/how-to-change-from-wp-loginphp-to-login
Block failed logins with mod_security
Here’s a article from Liquid Web on this approach:
http://kb.liquidweb.com/wordpress-modsecurity-rules/
This may not be effective due to the large number of IP addresses in the botnet. If there are 90K addresses with up to 5 failed logins then you could have 450K login attempts. Also if you’re behind a load balancer or proxy then this approach will have to be modified to look at the X-Forwarded-For HTTP header.
Add Login Security Plugins
There are a few good plugins that you can add that will reject login attempts after a number of failed logins. Here’s an example:
http://wordpress.org/extend/plugins/limit-login-attempts/
Of course as with the mod_security solution, due to the size of the botnet this approach may not be effective.