This is not just a WP issue. About a week ago, I got a notification from my
Joomla site of repeated failed attempts to log in to the admin site. I
looked at the logs and saw that it was from one address, every few seconds
loosely following a pattern of 2 attempts with a password followed by 1
without. coming at a rate of between 2 and 12 seconds apart. I inserted an
iptables rule to block that ip and then investigated it further. It is a
"well-known" address and I set up a chain to log and drop any hits from
that block of addresses. Joomla is quieter now, but the attempts continue
unabated.
As it is just a bot, mindlessly pumping out the hits, would there be any
advantage in changing the DROP to REJECT, hoping that it might stop
annoying me? The hits are all coming from 188.165.243.45 though
ocassionally a few will come from another address in their ranges. I've not
managed to find any ipv6 addresses associated with them or they would be
blocked as well.
On 3 July 2013 13:38, Ian <ian@???> wrote:
> Dom Latter said:
>
> I'm a bit late but I just thought I'd comment here - it may be no use
>> at all against a real attacker but the greatest threat to most wordpress
>> sites comes from scripted attacks - which may well assume a default
>> wp_ prefix. Because it works (for the attacker) well enough.
>>
>
> Hmm, given a firewall preventing access to MySQL from outside the VPS,
> they still have to get into the WordPress setup, and that is almost always
> going to involve getting into (or making, via a privilege escalation
> exploit) an administrator account.
>
> I have changed my WordPress install script to have a different prefix each
> time, but I don't think it will actually make any difference, and I am not
> going to change the prefix on existing sites.
>
> To avoid getting eaten by the lion, you don't have to run faster than
>> the lion, just faster than the people around you.
>>
>
> Up to a point - that works with a lion, but it's not so successful if your
> attacker is someone with a machine gun! :)
>
> The current attack on wp-login is more like that. It has been going on for
> about a week - I have upped the fail2ban bantime for this to three days,
> and they still come back after that.
>
> If it were any better at getting the right account names, I'd be using the
> plugin that ensures password quality as well as limiting the rate of login
> attempts.
>
> Ian
>
> ______________________________**_________________
> users mailing list
> users@???
> https://lists.bitfolk.com/**mailman/listinfo/users<https://lists.bitfolk.com/mailman/listinfo/users>
>
--
Keith Williams
Keith's Place
www.keiths-place.co.uk
Tailor Made English
www.tmenglish.org
West Norfolk RSPCA
www.westnorfolkrspca.org.uk
