Research: Finding the source of the current surge in brute force attacks on WordPress sites.

As you can see on our home page there is a large brute force attack underway that started around 10am Pacific Time yesterday (Thursday the 17th of April).

Screen Shot 2014-04-18 at 3.23.38 PM

As part of our ongoing research into WordPress attacks we’re analyzing the source of the attacks and can share the following data:

  • The vast majority of the attacks originate from other servers on the Net that are hosting other websites. In other words, we are seeing most of the attacks originating from IP addresses that exist on networks belonging to website hosting companies. The majority of these are WordPress hosting companies. [As opposed to seeing the attacks coming from broadband subscribers which would indicate a desktop virus or malware attacking WordPress sites, for example.]
  • These machines have likely been compromised, malware has been installed and they are being used to launch attacks on other WordPress sites.
  • In the past 2 hours we have seen 614,610 failed logins, to give you a sense of the scale of the current attack.
  • Approximately 17% of those originate from a single European hosting company. We have reached out to this organization via backchannels to gather more data and report the compromised WordPress hosts.
  • Over 30% of the attacks originate from 3 hosting companies in France, the USA and Berlin in that order. We are working with all three companies via backchannels.
  • There are a total of 1297 IP addresses that are currently involved in the attack and 304 of them have generated over 1000 failed login attempts each across our network of WordPress sites using Wordfence.
  • The worst culprit is based in Michigan, USA and has generated over 22,000 failed logins across WordPress sites in the past 2 hours.
  • The next worst are in Germany and St Petersburg, Russia and have generated 17,833 and 15,511 failed logins respectively during the past 2 hours.

To try to mitigate this attack we are reaching out to hosting companies, reporting infected IP’s on their network and establishing a data sharing relationship in order to help prevent future attacks.

Regards,

Mark Maunder – Wordfence CEO.

Did you enjoy this post? Share it!

Comments

39 Comments
  • Aren't these more likely dictionary attacks? Perhaps a good name for them would be brute force dictionary attacks. Hey, you call the whatever you want. I love what you are doing!

  • I hope you're also talking with NameCheap hosting, which doesn't work well with WordFence's plug-in. They have banned the "readme.txt" file included with WordFence, and have marked it as malicious. I have tried to reason with them, but tickets haven't done anything but continue their practice.

    I have three sites that use WordPress, and NameCheap nixes the "readme.txt" file in every case.

    What I'm saying is that if your're talking to hosting companies, it will help everyone if you talk to at NameCheap understands that your are HELPING security.

  • I've tried to research all of the failed 'admin' logins on one of my sites to contact the US-based companies who have an infected site but haven't had any luck. All of the ones that I have researched have been on shared IPs and/or have nothing for homepages that give any indication of what company they belong to.

    • I have also been reporting bots with about a 50% success rate so far. I would like to encourage all Wordfence users to do the same thing. In most cases the bots seem to be on hacked web sites but it does not matter. You need to report it to either the web hosting provider or the person responsible for the network. Providers such as Hostgator, are very good about seeing to it that malicious software such as bots, get removed from their servers. Others are not so good and sometimes it just matters who is at the support desk.

      I use http://centralops.net/ to look up the email addresses of the responsible person. Enter the IP address and look at the Network WHOIS record. The Domain WHOIS record does not matter for reporting this kind of problem but you can report it to the owner of the domain also if you want. For US based ISPs and Web hosting providers the IP addresses are usually controlled by ARIN. The email to contact will be indicated by "OrgAbuseEmail:" and "RAbuseEmail:" Email them both if they are different.

      For networks outside the US the abuse contact is usually indicated in a pretty obvious manner.

  • Thank you so much for sharing those statistics, you are helping us to understand what is happening. My website has been under attack for a long time, some times 500-1000 login attempts per day.

  • i have been using WF to block ranges for China - Ukraine - Russian - when i see them auto blocked I then make blocks permanent looking at ip range and blocking range especially when range is only a few hundred to a few thousand address...

    Wish I had the ability to go back to select the who is that gives range blocking options... wish that would be a choice under every page in WF that reflects offending ip address. It would make flow much easier.

    Also would love option to have ALL admin tries other than from White-listed IPs to be permanently blocked.

    • Sounds like a logical idea.

      • In addition to blocking country IPs not relevant to a particular site, each offender site is compiled in a private log for specific blockage across all domains. That the site may someday clean up its act is of no consequence; if they were blind enough to allow infection, I doubt they are worthy of future business.

        It amazes that hosting companies for the most part seem oblivious to the problem of their servers furthering these attacks. It seems their IT departments should notice a domain generating a thousand outgoing pings, or whatever, a minute for hours. The mem usage and power consumption should concern them. It does me because as a consumer I am paying for it. This article certainly implicates their complacency, if not duplicity.

        IT is 24/7/365--no holidays, no time off, no lunch breaks, no sleep, no bathroom breaks .... Welcome to the Matrix. I picture corporate IT pretty much as represented the British sitcom "The IT Crowd", only with an undeterred computer game playing focus than wanes only for a breathe now and then. From past interactions, I wonder if they ever personally use the installations they claim to be monitoring.

        It is a dis-service not to reveal the IP addresses of the current offenders. It isn't slanderous to publish true facts. ©2014 All rights reserved. Licensed for use here only. Protected by federal law and international treaty.

  • Thanks for the great work staying on top of all this mess. So happy to have found Wordfence!

  • It would be usefull if a recommendation was sent to all who use Wordpress to enable 2 factor authentication.

    • And when your iPhone is stolen just before you need to log in ...

      The compromising is not so much stealing user names and passwords as much as gaining access to the files behind the front end. It is there they do their dirty work. Those can be gotten to without login.

      Login names should not contain any real words in any language. Passwords should be 17 or more characters. While these high standards are not user friendly, there are apps to remember the unmemorable login details. And, of course, the use of keystrokes to do anything is insecure...

      Mobile devices are inherently insecure. The infection rate for corporate cell phones is 90%+. If you ever received anything besides a call, you are infected.

      How does two factor address these problems? There are many more.

      Two factor is good for email where access for spamming is a problem. But, recent and ongoing NSA revelations should have crippled use of Gmail, Hotmail, Yahoo, AOL and other email freebies. It certainly killed most of the secure email services, paid or unpaid.

  • Glad I found your plugin. It lets me know about logins and any issues. Thanks for the updates. Keep up the great work.

    • Or to block multiple login attempts from one source, or both.
      Perhaps Wordpress will build in that feature soon. Always amazes me such things are not part of a standard setup for online services.

  • Hey...

    You guys are doing a great job... Thanks for protecting all my sites.

    • You've very welcome, thanks for the feedback.

      Regards,

      Mark.

  • I am here because of the sheer number of attacks I have had in the last 2 hours, I must admit I did think it was a particular person, but perhaps that is just my paranoia. Really grateful to be using WF.

  • can u make two step verification for free version? a few people make it combine with google authentication but i will be more like it if wordfence make it for free. thanks :)

    and not only that, can u make wordfence connect each other if we have multiple websites? so when upgrade the version we don't need to login one by one just for upgrade wordfence. one network access for maintain all websites. well, i believe there is people targeting my all websites for some reason and i don't think its funny at all. so i wonder if there is a tracking version for knowing where the attack source from, because only showing attacker ip address maybe not accurate if they using fake server or zombie computer. but, if we can tracking the source maybe we will know who are they. thanks.

    • Hi there,

      We'd love to make 2 factor free as soon as our SMS provider gives us free SMS's. ;-) Unfortunately we pay per SMS and so we have to charge for that feature.

      Regarding syncing between websites: We're working on that, so more on that soon.

      Regards,

      Mark.

      • Mark, you helped me a few months ago when I first installed the Wordfence plugin, and thank you for that. I want to say that a good hosting company will set up a two step authentication log in if it is needed. Mine certainly did and it stopped all of the log in attempts on my Wordpress sites. It was set up to require that I log in the front door of the server in order to log in to my Wordpress admin area. Since that day I have not had any attempts to gain access. And Mark every Wordpress site owner on the planet owes you a great deal of gratitude for this awesome work that you are doing!!! keep it up
        Bricktowntom

        • Thanks. Its worth noting that 2 factor is not two layers of passwords. It is instead a 2 step verification that relies on something you know I.e. your password, and something you have I.e. your cellphone which can be verified via sms or an app. That is why wordfence 2 factor sends an sms to verify that you are in possession of your cellphone.

      • Unlimited SMS is available. Not from the giants ... they offer little of value.

  • Thanks for the article and Tweet.
    Just a small note - the opening sentence has Thursday day and Fridays date. Good to have the events reported precisely.

    Will be interesting to know the nature of the attack - what they're depositing post login.

    • Thanks David! Corrected that.

      Regards,

      Mark.

  • Thank you so much for making all my sites secure and alerting me when they are under attack, I don't know how I found Wordfence but couldn't sleep without it now.

    One question, please. In your email you say, "This is a clear reminder to run regular scans on your site to ensure that your WordPress website isn't being used as a drone to launch attacks on other sites."

    Any advice on how to scan sites for malware? Is there a plugin, or ...?

    Thanks again for making the Internet much safer for all your users.

    Wordfence Rocks!

    • Just hit the scan button in wordfence and it will scan for malware.

      Regards

      Mark.

      • Cool! Thanks for the quick reply, Mark.

      • What would happen if the malware modified the Wordfence plugin files, so the malware does not show up in the scans?

        • Interesting question. We release a new version of Wordfence each week, so it would have to keep updating it's own code to make sure it correctly modifies Wordfence. It would also have to guess what we're doing on the server-side to avoid detection, and malware can't modify what's on our servers so e.g. the remote scan (paid users only) might catch that. But we haven't seen any attacks like this yet.

          Regards,

          Mark.

  • Are these the ones coming from fvsd.ru? It seems FirstVDS in Russia has been compromised - even their abuse emails are bouncing...I had many login attempts from this host, and one successful one (changed all the login and passwords for instance)

    And yes there has been a massive hike in attacks across all my sites, I'm having to be super vigilant! Thanks for everything.

    One thing: is it possible to block on hostname, or use that as well as IP? Or is that too easily faked? I've done it for fvds.ru but it's painstaking adding it to all the .htaccess, it would be good if temporary blocking or Advanced Blocking could take advantage of that cos it was 4-5 IPs but one hostname, and a lot of VPS hostnames pop up. TBH most surfers won't be using their VPS to surf with anyway, so I'm not too bothered about blocking them...

  • Aren’t these more likely dictionary attacks? Perhaps a good name for them would be brute force dictionary attacks. Hey, you call the whatever you want. I love what you are doing!

  • I feel a little bit better knowing that I wasn't the only one getting several emails about all the brute force attacks now.

    I'm even more grateful that I have WordFence installed because it stops those brute force attacks right there.

    Keep doing what you doing guys, and it's always good to know why certain things are happening.

    Thanks,

    Isaiah Jackson

  • Why keep the server hosts secret?

    I routinely block the ranges for OVH, Gandhi, Hetzner, Ociris and BSB to limit activity that I don't want on my servers.

  • Try this plugin (would be smart if WF incorporated it....) https://wordpress.org/plugins/stealth-login-page/changelog/ - it creates a new login-url
    (note: use version 3.0 ONLY! 4.0 doesn't do the trick any longer, as the author, for unknown reasons, completely changed the original functionality).

    Also, if you don't log in regularly (and during attacks), just rename wp-login.php via FTP - it worked for me during the previous global attacks.

  • I am so grateful I found this site the other day! Two of my Wordpress sites had been hacked and I was at a loss as to how to fix them. I downloaded your Wordfence plugin and it it fixed everything for me. Thank you so much for all the hard work you do in providing this free service. I am so impressed with how it works on my sites that I will, in the not-too-distant future, upgrade this amazing plug-in.

    Thank you once again. I will share this in a blog.

  • Do you have any contact with companies like Cloudflare, Incapsula, etc. that work to block threats at the DNS level? Wordfence probably picks up on many threats sooner, and sharing the related IPs could aid such services in blocking attacks before they ever touch a site (for people using those services at least -- both provide free levels, so they should be within reach of anyone). Likewise, they might be able to share back realtime info regarding malicious servers which the Wordfence system hasn't picked up yet. And so on, improving security for all.