Christmas Holiday

We will be closing our Store, Sales and Helpdesk from 17:30 Wednesday, 23rd December 2020 to 09:00 Monday, 4th January 2021. No orders, support requests or sales emails will be processed between those dates.

If you purchase a license or Service Package before the closing date and require installation, please be sure to leave at least 24 hours before then for the work to be done. Otherwise, any work will be scheduled for after this period.

Massive increase in Wordpress logins

Post Reply
Paarsch
Junior Member
Posts: 5
Joined: 05 Apr 2017, 11:00

Massive increase in Wordpress logins

Post by Paarsch »

Hello!

I'm not sure if anyone else is seeing the same trend, but i am noticing a massive increase in wp-login attempts lately. This is something i see in the logs of most domains across most, if not all my hosting servers. The originating countries are all over the world; USA, UK Germany Vietnam, Indonesia to Brasil.

Some domains have login attempt from a staggering 5000~6000 unique IP addresses a day. I made a regex rule specifically for these attempts which works as it should. Only because of the shear volume my deny list gets completely flush at least once a day. The logs look like this:

Code: Select all

[18/Jun/2019:00:35:26 +0200] "GET /wp-login.php HTTP/1.0" 200 1872 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
[18/Jun/2019:00:35:27 +0200] "POST /wp-login.php HTTP/1.0" 200 2306 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
[18/Jun/2019:00:35:28 +0200] "GET /wp-login.php HTTP/1.0" 200 1872 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
[18/Jun/2019:00:35:28 +0200] "POST /wp-login.php HTTP/1.0" 200 2288 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
Is anyone else seeing this trend? what would be a suitable solution to these attacks? dump all the IP's in a extra IP block list? Or is there a more elegant solution?

Kind Regards.
mikerotec
Junior Member
Posts: 2
Joined: 29 Jul 2019, 16:35

Re: Massive increase in Wordpress logins

Post by mikerotec »

:) Can you share that regex rule? I'm new to this, and we get a lot of similar 'multiple-IP' exploits...
Post Reply