1

Following my previous question, I have installed an "activity log" plugin on my site, from this I can see several malicious log in attempts.

enter image description here

In above image we can see a new attempt each second, these come in bursts, so it can be quiet for 12 hours, then suddenly this happens, and then it calms down again.

Under the "Description" column, we can see what username this bot tried to log in as, this is often "admin" and that's not a problem since I have changed the default admin username, but sometimes it tries the real one too, as well as other users.

Following this realization I installed another plugin that adds a reCAPTCHA button to the login page, but the attempts didn't decrease at all.

I understand that the chances of this bot guessing the password is small, really small even, but it just might do it, and this makes me nervous.

What can I do to limit the malicious log in attempts on my wordpress site, or atleast limit its chances of success?

sch
  • 145
  • 4
  • Do you have operating system level access on the box which runs that wordpress site or is it just shared hosting? – Philipp Jan 25 '18 at 14:05
  • @Philipp not OS access no, but I do have access to the actual wordpress files – sch Jan 25 '18 at 14:11
  • Did you end up disabling / removing XML-RPC.php? If you're getting hammered with that many requests when you have reCAPTCHA enabled that's where I would focus my attention. – DKNUCKLES Jan 25 '18 at 14:11
  • @klskl That's a pity, because with OS access you could install [fail2ban](https://www.fail2ban.org/wiki/index.php/Main_Page) and block any IPs which make too many failed login attempts. – Philipp Jan 25 '18 at 14:38

1 Answers1

3

To limit its chances of success, make sure your users' passwords are strong and all security patches are applied on time.

From your description it looks like a simple automated brute force activity trying to break into your system in some simplest scripted ways. This on the Internet is roughly equivalent to white noise in radio transmission. It's always there in the air, always present, but as long as it doesn't prevent you from listening to the music, this is fine, more or less. You wouldn't even have noticed this if not for a recent unfortunate event not connected with this particular activity at all though.

On a /19 IPv4 network, I can see hundreds of similar attempts coming towards different IP addresses every minute. Those attempts are mostly automated, bots are trying a few simple passhrases and also a few popular exploits (hence patch management on your side) across the whole IPv4 address space. If the rest of your security policies are fine, you won't see problems with this alone. If you do have problems with security, rate limiting won't help you for long.

If it's not an automated activity, then a motivated attacker is able to use much more than a single IP address at a time and won't get fooled by any sane rate limiting. Some brute force bots are already issuing their requests once in 10 minutes or even less frequently. You can't allow just one authentication attempt in 10 minutes, an ordinary user will be upset with that.

Having said that, popular HTTP servers allow you to set up rate limiting in the configuration file:

Limiting authentication attempts to a rate close to 15r/m with some reasonable allowed burst may be a good idea.

There's also probably something wrong with either the activity log plug-in, or the reCAPTCHA plug-in, or the way all your plug-ins communicate with each other. Make sure the reCAPTCHA plug-in checks the CAPTCHA response before allowing to process the rest of authentication.

It might be also a good idea to do CAPTCHA checking only at account registration and to use MFA for authentication, it's more reliable in your case and would probably have helped you with the previous incident.

ximaera
  • 3,395
  • 8
  • 23