in Meddling, X-Geek

WordPress brute force hack attacks

Since this spring, the world’s WordPress sites have seen a surge of brute-force hacking attempts, where scripts running from “botnets” have been steadily trying one dictionary word after another in an attempt to take over their victim sites.

I was alarmed to discover this traffic hitting my website earlier this week and was stymied as to how to prevent it. Normally when one gets a hacking attempt, it’s a simple thing to block that site’s IP address using firewall rules. In this case, however, the attackers are using a massive array of hacked computers scattered around the world. Each hack attempt comes from a different IP address, making it impractical to block them all.

Wondering if my site would soon fall to these script kiddies, I took some time to configure some analysis tools to get a better idea of what I was facing.

I needn’t have worried. This is what these genius password attempts look like:

awesome
ophelia
sumo
awesome
kajak
dooney
sumo
admin
admin123
awesomeness
kajal
door
opiate
mustang
baberuth

Yeah, sure. I’m going to give my administrator account a dirt-easy password. Might as well use “hackme” as a password (surprisingly, “hackme” does not appear to be a password these evil geniuses have tried).

So what am I doing about these attacks? I am using a combination of approaches.

The first is using iptables to throttle too many incoming connections using “wp-login.php.” I adapted this from an excellent forum post on the Register website.

/sbin/iptables -A INPUT -d 199.233.229.182 -i eth0 -p tcp -m tcp --dport 80 -m string --string "/wp-login.php" --algo bm --to 64 -m recent --set --name filter_wp_login --rsource
/sbin/iptables -A INPUT -d 199.233.229.182 -i eth0 -p tcp -m tcp --dport 80 -m string --string "/wp-login.php" --algo bm --to 64 -m recent --update --seconds 120 --hitcount 3 --rttl --name filter_wp_login --rsource -j DROP

The second method is to increase WordPress’s password strength of my handful of readers through the use of the Login Security Solution plugin. The plugin will also track the suspicious login attempts and deal with them itself.

Remember, kids: the Internet is a wonderful resource but it can’t be trusted. Practice safe surfing, always!