Top Nav

Distributed Brute Force Attack On WordPress wp-login.php

Over the last few days many WordPress websites have encountered problems due to a massive distribute brute force attack on the wp-login.php script. The hackers are using a network (botnet) of compromised servers (bots) to repeatedly attempt to login to WordPress using common usernames and weak passwords. The botnet may contain as many as 90,000 unique IP addresses.

The scale of the attacks has created problems at some hosting companies:

IX Web Hosting
http://status.ixwebhosting.com/2013/04/11/global-server-wordpress-issues/

Hostgator
http://blog.hostgator.com/2013/04/11/global-wordpress-brute-force-flood/

Daniel Cid at Sucuri Blog discusses how these attacks have increased over the last few days:

http://blog.sucuri.net/2013/04/mass-wordpress-brute-force-attacks-myth-or-reality.html

There are a number of ways to mitigate the attacks including:

Password Protect wp-login.php

This is a good solution if you have a limited number of people who have to login to WordPress. Here are instructions from Hostgator on how to add password protection:

http://support.hostgator.com/articles/specialized-help/technical/wordpress/wordpress-login-brute-force-attack

Other hosts and control panels should be similar.

Rename wp-login.php

This solution is technically more difficult but it will defeat the attack without inteferring with user logins. See the discussion here:

http://wordpress.org/support/topic/how-to-change-from-wp-loginphp-to-login

Block failed logins with mod_security

Here’s a article from Liquid Web on this approach:

http://kb.liquidweb.com/wordpress-modsecurity-rules/

This may not be effective due to the large number of IP addresses in the botnet. If there are 90K addresses with up to 5 failed logins then you could have 450K login attempts. Also if you’re behind a load balancer or proxy then this approach will have to be modified to look at the X-Forwarded-For HTTP header.

Add Login Security Plugins

There are a few good plugins that you can add that will reject login attempts after a number of failed logins. Here’s an example:

http://wordpress.org/extend/plugins/limit-login-attempts/

Of course as with the mod_security solution, due to the size of the botnet this approach may not be effective.