Login Bots

The original reason I installed Better WP Security was to help prevent brute force attacks on the login screen.  Thankfully it does much more.  You can block an IP address for a length of time after a certain number of failed attempts.  You can also permanently ban an IP after a number of lockouts (or you can do it manually).

That has worked for a long while but over the last three or so days I’ve experienced a new kind of attack.  I believe it’s a bot attack.  Rather than have each bot try a large number of times, they seem to only try enough to stay under the threshold of being locked out.  They then try again a few hours later and keep repeating the process.  The number of IPs that have recently tried to log in is fairly large.  It’s too coordinated to be anything but someone controlling bots.  I randomly checked some IPs and found many were from Russia and other parts of Europe.

I found out about the attack because three IPs tripped the lockout.  By the time I looked at my logs, there were five pages of recent failed login attempts and only three lockouts.  Needless to say, my threshold was probably too high even though I lowered it from the default setting.  In looking at the logs, I found numerous IPs that have tried to log in numerous times so I manually added them to the blocked IPs list and lowered the threshold even further.

Keeping this website gives me interesting insights into the various things people come up with to attack or spam sites.  It’s really quite a learning experience.