I have experienced some quite disturbing activity over the last 24 hours or so. Several WordPress websites I know of have been hit by extreme load on the wp-login.php file and in some cases the load have been high enough to take the server down. I am not sure, but it looks like some kind of aggressive brute force attack that take place from multiple IP-addresses. This means that most traditional WordPress security plugins that simply limit the number of login attempts from a single IP is not helping to protect the server from resource burn-out. I found a plugin that seems to help effectively and I wanted to share this in case you run into this type of attack on your website. The plugin is called Bot Attack Blocker. The idea is very simple, elegant and effective – it will block the access to the wp-login.php file and make sure the WordPress framework is not loaded if there are more than a specified number of failed logins within a timeframe you specify. The plugin allows you to add you own IP-address to ensure you are not blocked.
Once installed you find the admin page for Botnet Attack blocker under settings. You can set up the number of login failures needed within a spefic timeframe to kick in the blocker. Further, you can set the duration until the block is released again.
Once set up you will notice, immediately if someone is hitting on your site. At the bottom of the admin page, you can see a status and it will let you know if status is blocked or not. If you test the login page from an IP-address that is not white listed, you will notice that you get a simple page with a warning instead of the login page. This will release load from the server and I believe your site will start responding again within a few minutes.
Besides adding plugins like this to keep you site safe from botnet attacks, it is always recommended to keep the WordPress core installation, themes and plugins up to date at any time. This will avoid that hackers can take advantage of vulnerabilities in old code. Further, it is a good idea to create a new user account and assign the administrator role to it. Then to downgrade the default admin user to the subscriber role. This protects your site in case the admin user is compromised.
WordPress is a great publishing platform and I enjoy using it, however, popularity, and huge market share comes at a security cost. With millions of personal and small business websites running on WordPress, it is unfortunately a seriously opportunity and easy target for hackers using automated tools and bot networks to exploit commonly known vulnerabilities and perform brute force hacks on weak passwords. Therefore, any WordPress webmaster must take security seriously and keep an eye on news and possible new solutions to upcoming threats.