Yesterday morning my web server suffered its worst Distributed Denial of Service (DDOS) attack yet. For two hours 893 separate IP's continually hammered my cloud VPS server and pretty much sent it crying to mama. I could barely connect to it. I decided the only thing that could bring temporary relief would be to reboot the virtual container through the service provider. Awesome.
Two hours later the attack disappeared almost as quickly as it arrived leaving an annoyed server admin (me) and to wade through a 1.6MB log file. If you're unfamiliar with log files, they're plain text and 1.6MB is pretty big for a two hour window. Unless you're TheChive.com or some site like that.
Flash forward to tonight, when I finally dug into the log to forensically determine the attack vector. To my surprise, yesterday's excitement was not a DDoS attack …but a WordPress login flood attack. Think of a distributed brute force attack with a single goal: to gain entry to my WordPress site by systematically guessing every password combination possibly used by an administrator account. Some people's children, right?
To close out the night I made a few tweaks to the server (to better help it survive the next all-but-guaranteed onslaught) and considered how my logs could benefit the WordPress community. It wasn't a great leap to think to provide the community with the list of attack IPs. To aid with that I found a slick IP address extractor, a site that parses text dumps and removes duplicates in the process. The IP extractor accepted my ~43,000 line paste and spit out a scrubbed list of 893 attack IPs in less than 30 seconds. Impressive.
So I give you the list of all 893 WordPress login flood attack IPs. It's perfect for adding to your firewall's block rules (if you run your own web server). If you are on a shared host or do not have access to your server's firewall, perhaps share this post with them and pray they do something with it? Whatever you do with the list, I hope my Tuesday morning headache turns into something of value for the WordPress community. Please let me know in the comments below if the list helped you in any way.
Every couple of weeks an IP from either China or South America (usually Brazil) tries to do a Brute Force Login on my blog. Now I change my WordPress password every 2-4 weeks to be on the safe side.
Let me recommend a plugin or two which could help immensely:
WP Limit Login Attempts will temporarily ban access by IP and can permaban the IP if the erroneous login attemps continue.
Two Factor Authentication will give you a second security check so that even if they knew your password, they would have to pass the next security check to log into your site.
All the best!
Thank you, I will have a look at this. It may prevent a hacker 🙂