My blog has been under a brute force attack for over a week now. Several foreign bots have been hard at work trying to break into my WordPress software. Sadly, for them, that is all but impossible. I use several layers of security to protect WP. One of those layers locks any user account, including myself, after more than 5 failed log in attempts.1 The user must then go thru the password recovery process. However, the brute force can bring down the server itself. Even with site-caching, the server has to respond to every request.
Most bots make a concentrated effort for minutes and/or hours and then usually move on when they complete (or fail at) their task. This was much more focused and indicates a deliberate attempt. My blog is not overly popular so I’m a little surprised. Dedicated attacks usually target big sites or at the ISP level. The rest of us fall into the “search and conquer” category described above.
I’ve had to take more direct action now and start blocking bots at the server level. It is often a cat-and-mouse game because said baddies often use already compromised or spoofed IP addresses. They rotate them quickly so blocking doesn’t last long. However, for bots it’s a wee bit easier as they usually carry distinctive names that can be blocked using the .htaccess file.
For my readers, hopefully you won’t see any error pages. On the odd chance you do, please email me and I’ll get you restored. An easy way to tell is by accessing my site from different connections. The chances of both being blocked are extremely rare.
The attack already seems to be waning. The CPU drain from my account on the server is down within acceptable levels for my ISP. It is still higher than normal but going down. Wish me luck. hehehe
- I also deleted my default admin account ages ago [↩]