IT Nursery
  • 1010 Avenue of the Moon
    New York, NY 10018 US.
  • Mon - Sat 8.00 - 18.00
    Sunday: Closed
  • Get A Quote
  • WordPress

    • Questions about brute force attacks on the admin username, coming from amazon IP addresses

    • IT Nursery
    • May 28, 2022
    • 0

    I’m a developer (not wordpress though) at a company. We use an EC2 instance to host our wordpress site. I don’t actually have an account named “admin”, but we do have iThemes Security Pro which permanently bans IPs that attempt to login as the user “admin”.

    About a week ago, I got a site lockout notification from an IP in Brazil, and one more in Ukraine, where those IPs had tried to gain access through the admin username. I thought it was fine, but in the past few days, I’ve been getting emails every 15 minutes or so saying another IP has been locked out for trying to login as the user admin.

    I thought I would do an IP wide ban for that page for certain IP addresses, but I’m realizing that all recent attacks have been from in the US. And as time goes on, the IPs seem to be getting closer and closer to where the actual server is located (in Oregon). Another thing is, all of these IPs appear to be registered with Amazon, so they might be EC2 instances themselves.

    To try and keep up with it, I attempted to put a captcha on the login page using the following plugin. The captcha does appear on my admin login page. However, the bots are somehow able to get past this and attempt to login without completing the captcha.

    Does anyone have any advice on what to do to stop this?

    1 Answer
    1

    I’ve noticed this once myself (can’t remember if it was the same plugin). The captcha sat there, but just submitting the form didn’t trigger an error and worked perfectly, logging me in.

    My #1 advise: use a plugin to rename wp-login.php to something else. It will effectively stop these bots (and delay an attacker that is specifically targeting you, but those are very rare), and you just tell your legitimate users about the new URL to use for login. Obviously, that won’t be an option if you have thousands of users, but for your average company site, it is.

    You might also want to look into disabling XMLRPC and the REST API if you don’t use them, as they provide more attack surface.

    Other than that, it sounds like you’re already set up quite well, and an active stance on security is always a great starting point.

    Tags:

    Leave a Reply

    Your email address will not be published. Required fields are marked *