I Installed the plugin Simple Login Lockdown and since a couple of days ago the database is recording over 200 records by day.
I think that is not possible to have my site attacked by so many IP’s
Do you think there is something wrong?
There is currently a botnet active, attacking WordPress and Joomla sites. And probably more. You should see more blocked logins. If you don’t, there is probably something wrong.
But be aware, blocking IP addresses doesn’t help against a bot net with more than 90,000 IP addresses.
And if you do that per plugin avoid Limit Login Attempts. It stores the IPs in a serialized option that has to be unserialized on each request. This is very expensive and slow.
Find a plugin that uses a separate database table or block the IP addresses in your .htaccess like this:
order allow,deny
# top 30 IP addresses listed in
# http://blog.sucuri.net/2013/04/mass-wordpress-brute-force-attacks-myth-or-reality.html
deny from 31.184.238.38
deny from 178.151.216.53
deny from 91.224.160.143
deny from 195.128.126.6
deny from 85.114.133.118
deny from 177.125.184.8
deny from 89.233.216.203
deny from 89.233.216.209
deny from 109.230.246.37
deny from 188.175.122.21
deny from 46.119.127.1
deny from 176.57.216.198
deny from 173.38.155.22
deny from 67.229.59.202
deny from 94.242.237.101
deny from 209.73.151.64
deny from 212.175.14.114
deny from 78.154.105.23
deny from 50.116.27.19
deny from 195.128.126.114
deny from 78.153.216.56
deny from 31.202.217.135
deny from 204.93.60.182
deny from 173.38.155.8
deny from 204.93.60.75
deny from 50.117.59.3
deny from 209.73.151.229
deny from 216.172.147.251
deny from 204.93.60.57
deny from 94.199.51.7
deny from 204.93.60.185
allow from all
See also:
- Codex: Brute Force Attacks
- Login Protection With .htaccess by Ipstenu (Mika Epstein)
- Custom WordPress ModSecurity Rules by Liquid Web
- Protecting Against WordPress Brute-Force Attacks by Sucuri Blog, also: Mass WordPress Brute Force Attacks? – Myth or Reality with interesting statistical details
- How to Password Protect the wp-login.php File by HostGator
Our tag security is also worth a look, especially:
- Verifying that I have fully removed a WordPress hack?
- Securing Admin Accounts – Username Discovery
- How brute-forcer knows that the password is cracked for target username?
If you have moved wp-admin or your wp-login.php these URLs can still be guessed by appending /login or /admin to the main URL. WordPress will redirect these requests to the correct location.
To stop that behavior you can use a very simple plugin:
<?php # -*- coding: utf-8 -*-
/* Plugin Name: No admin short URLs */
remove_action( 'template_redirect', 'wp_redirect_admin_locations', 1000 );
I think this is security by obscurity – nothing serious.