With WordPress being the most popular site building tool in use today, that also makes sites built with it a target for hackers. And sometimes those sites are very easy targets when little or no security precautions are taken.
Hack attacks come in various guises but one of the better known is the Brute Force Attack. This is when a hacker makes repeated, fast attempts to get access to your site’s admin pages to hijack the site.
How Do You Know When Your Site Is Under A Brute Force Attack?
If you aren’t using any security plugins on your site, then generally you’ll only find out about this type of attack when you visit your site and find out that it’s been hacked. By then the damage is already done.
If you’re an affiliate marketer, one of your revenue streams has just been knocked out. If you’re a business owner, your online presence may be gone or, potentially worse, you suffer reputational damage because your site infects visitors with malware.
If you know little about WordPress security, then you’ll have to either learn about it and rebuild your site. If you’re lucky, you or your webhost will have a recent backup you can restore from but you’ll still need to apply some security to the site to prevent future hacks.
If you don’t have a backup, then you either have to write the site off, put in time and resources to rebuilding it from scratch or hire a security expert to see if they can salvage the site.
What A Brute Force Attack Looks Like
Last night, one of my WordPress sites came under just such an attack. I don’t see these types of attack very often but I do see other types of attack quite frequently.
My site repelled the attack due to the security plugins and processes I use on that site (and the other sites I build for myself and clients).
Here’s how the attack started (I’ve blurred out part of the URL for security reasons):
The first thing to note is that the attack started on October 24 at 2:49pm (the server the site is on is 5 hours behind my local time). The second thing to note is that the attack came from one IP address: 220.127.116.11.
The Username column shows what username the attacker was trying to log into the site under. Each line in the table is a separate login attempt which would have used a different password (not recorded). Login attempts were made every 1-2 seconds.
Here are the edited highlights of the attack showing different Usernames that the hacker tried:
A huge number of attempts with username 123456 were used. Many new to WordPress take the easy option with basic security and do in fact use 123456 as their username. Don’t make the same mistake. This snapshot of usernames doesn’t give an idea of the extent of the attack though.
How Big Was This Brute Force Attack?
My site underwent a sustained attack. In fact I received 900 emails like the first screenshot from the security plugin that was monitoring this attack. Each email listed 30 individual attempts to access that blog.
That means there were at least 27,000 successive attempts to break into my site.
The attack finally ended at 4:51am this morning so the site was under sustained attack for 14 hours and 2 minutes.
I only became aware of the attack this morning when I saw the list of emails my site had sent me about the attack.
I use a login lockdown feature on my sites which means the http://www.yoursite.com/wp-admin login route is disabled and I have to log in through another page. I also use a captcha on my login pages which defeats automated bots. After five failed attempts to log in, that IP address is then banned so further access to the site is prohibited.
Interestingly, that Login Lockdown feature didn’t kick in and ban the hacker after a handful of failed login attempts. That suggests that the hacker was trying to access the site through a different route and that’s something I need to investigate further. I’ve manually blacklisted the hacker’s IP address and I’ll be updating the blacklist on my other sites now as well.
Nevertheless, my site security setup did its job and prevented the hacker from accessing and hijacking my site.
So who is responsible for this attack? I looked up the IP address on projecthoneypot.org and this is what came up:
The IP address is in the USA and appears to belong to Cloudflare who offer a site protection service which I also use. I’ve now emailed them about this IP address being used in a hack attack. It may be that some part of Cloudflare itself has been compromised. The more likely scenario is that the attack came from somewhere else that’s integrated with Cloudflare (webhosts like Hostgator now provide a Cloudflare integration option on their cPanels, for example).
I’ll report any feedback from Cloudflare here.
UPDATE: I heard back from CloudFlare. Since Cloudflare acts as a proxy, that means all traffic to my site goes through their network before reaching my site. So all traffic appears to come from Cloudflare. IP Address 18.104.22.168 actually wasn’t the source IP for the attack. And by banning that IP, I’m banning legitimate traffic that is being routed through 22.214.171.124. So I’ve removed the bans on this IP address.
The attack is now over so I’ll never know the source IP address. Cloudflare have advised me to install the mod_cloudflare package on my cPanels to have visitor IP addresses appear in logs rather than the Cloudflare proxy IP addresses.
This is a further demonstration of just how important putting security measures in place on WordPress sites is.
Remember, over 30,000 WordPress sites are hacked every day. Don’t let your site be one of them.
Filed under: WordPress Security