Page 1 of 14 123411 ... LastLast
Results 1 to 25 of 346
  1. #1
    Join Date
    May 2009
    Location
    Bangladesh
    Posts
    131

    wp-login.php issue

    Today i faced an weird issue. While monitoring our servers i saw hanging wp-login.php process from few WordPress user. When the process start hanging on the server, it also overload the server. I tried checking the wp-login.php file but found nothing suspicious in it.

    anyone having such issue?
    TetraHost Bangladesh
    Shared Hosting | Reseller Hosting | Shoutcast Radio Hosting
    Biased for true hosting experience - www.tetrahostbd.com

  2. #2
    Join Date
    Dec 2005
    Posts
    3,077
    Is it the latest version of wordpress?

    Wordpress is being targeted heavily at the moment due to the number of recently security issues so chances are it was someone trying some of those issues to break into the install.

  3. #3
    Join Date
    May 2009
    Location
    Bangladesh
    Posts
    131
    Yes, most of the account is updated.
    TetraHost Bangladesh
    Shared Hosting | Reseller Hosting | Shoutcast Radio Hosting
    Biased for true hosting experience - www.tetrahostbd.com

  4. #4
    Join Date
    Dec 2005
    Posts
    3,077
    We've had the same thing on a few servers, just have to keep an eye on it at the moment

  5. #5
    Join Date
    Oct 2004
    Posts
    294
    yep, same here on all servers I manage, overload due to brute force to wp-login.php.

    Do you have any idea how to prevent this? any csf rule that will block more than X attempts to wp-login.php in XX seconds?

  6. #6
    Join Date
    Dec 2005
    Posts
    3,077
    If you are running Apache you could try using FilesMatch. I think this would work:

    Code:
    <FilesMatch wp-login.php>
    Order Allow,Deny
    Allow from xx.xx.xx.xx
    Deny from all
    </FilesMatch>
    Replace xx.xx.xx.xx with the main shared IP of your machine, you could put this inside a virtualhost or if you were running cPanel one of the pre-global include files in /etc/httpd/conf/

  7. #7
    Join Date
    May 2009
    Location
    Bangladesh
    Posts
    131
    just block the wp-login.php using mod_sec rules, that will stop the issue for now.
    TetraHost Bangladesh
    Shared Hosting | Reseller Hosting | Shoutcast Radio Hosting
    Biased for true hosting experience - www.tetrahostbd.com

  8. #8
    Join Date
    Mar 2003
    Posts
    439
    I am experiencing this too with some accounts lately. WP installations are probably under attack.

  9. #9
    Join Date
    Mar 2003
    Posts
    439
    Quote Originally Posted by PCS-Chris View Post
    If you are running Apache you could try using FilesMatch. I think this would work:

    Code:
    <FilesMatch wp-login.php>
    Order Allow,Deny
    Allow from xx.xx.xx.xx
    Deny from all
    </FilesMatch>
    Replace xx.xx.xx.xx with the main shared IP of your machine, you could put this inside a virtualhost or if you were running cPanel one of the pre-global include files in /etc/httpd/conf/
    This will also prevent legimate users from accessing the wp-login.php right?

  10. #10
    Join Date
    Mar 2003
    Location
    Canada
    Posts
    8,908
    Yeah, we're seeing a HUGE amount of brute forcing attempts against WordPress in the last 24 hours.

    All kinds of ranges, they are just going nuts against all wp-login.php's causing some load issues here 'n there.
    Patrick William | RACK911 Labs | Software Security Auditing
    400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com

    www.HostingSecList.com - Security notices for the hosting community.

  11. #11
    Join Date
    Mar 2003
    Location
    Canada
    Posts
    8,908
    Quote Originally Posted by tetrahost View Post
    just block the wp-login.php using mod_sec rules, that will stop the issue for now.
    ... and how will people (non-admins) then log into their WordPress sites?
    Patrick William | RACK911 Labs | Software Security Auditing
    400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com

    www.HostingSecList.com - Security notices for the hosting community.

  12. #12
    Join Date
    Feb 2004
    Location
    Toronto, ON, Canada
    Posts
    1,378
    Is there an outage currently at wordpress ?

    Because I have been getting a lot of connection issue when trying to browse for plugins within the system.

    Perhaps this is related to the wp-login.php ?
    VimHost█ Providing Web Hosting since 2003: 13 Years of Dedication to our customers
    Email Hosting | RTMP Hosting | FFMPEG Hosting

  13. #13
    Join Date
    Mar 2003
    Posts
    439

  14. #14
    Join Date
    Oct 2004
    Posts
    294
    Quote Originally Posted by mbr View Post
    but what we can do on servers side? it is hard to install plugins for few hundret wordpress installations... we are searching for any solution based on mod_sec / mod_evasive or csf...

  15. #15
    Join Date
    May 2009
    Location
    Bangladesh
    Posts
    131
    Quote Originally Posted by Patrick View Post
    ... and how will people (non-admins) then log into their WordPress sites?
    lol! sorry, i didn't complete the sentence! that is a temporary solution! when you have multiple server and thousands of wordpress site, you must act quickly and find a quick solution!

    btw, you can also ask your service provider to enable the ddos guard on the server IP which will resolve the issue as well.

  16. #16
    Join Date
    Mar 2003
    Location
    Canada
    Posts
    8,908
    Hard to block at the server level, mod_security will be no good. If the attackers were using a certain GET/POST string then it would be possible to filter on that... but since it's a brute force attack then it's much harder to filter. In theory, mod_evasive should work once the threshold is reached.
    Patrick William | RACK911 Labs | Software Security Auditing
    400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com

    www.HostingSecList.com - Security notices for the hosting community.

  17. #17

    wp-login.php massive attack

    Just wanted to add a "me-too" to this thread. We have several cPanel/WHM servers, and all of our servers are heavily loaded at the moment, with a wide-range of random IP addresses worldwide hitting / posting to wp-login.php at rates up to 30 times per SECOND.

    We are blocking offending IPs as fast as we can, but it is a bad game of whack-a-mole.

    I've tried to use the CONNLIMIT feature of ConfigServer Firewall (for example 80;5 to limit each IP to 5 new connections to port 80) but it does not do anything to help.

    Many of our customers have the Wordfence plugin to prevent brute force logins, but it's also not effective.

    FYI, there are some new WordPress BruteForce Tools and I suspect they are causing the problem. Do a Google search for "WPBforce WordPress Brute Force Tool" (I can't provide the link since apparently I'm a WHT noob)

  18. #18
    Join Date
    Mar 2012
    Posts
    344
    We are also facing same issue at this moment.
    ImpressHost Premium Web Hosting| USA, Franch and UK Location
    Shared Hosting | Reseller Hosting | cPanel/WHM | LiteSpeed Server | RAID 10
    30 Day Money Back Guarantee - 99.9% Uptime Guarantee - Daily Backups

  19. #19
    Join Date
    Nov 2008
    Location
    Florida, U.S
    Posts
    1,683
    Advise clients to ALWAYS password protect their WP admin folder, as recommended by WordPress.. http://codex.wordpress.org/Hardening...uring_wp-admin

    This, along with CAPTCHA, should take care of brute-force attacks. Don't forget to also advise your clients to FULLY secure WP, as well. There are many tutorials and guides available on the web, and most are very easy to implement. WP can be very secure, if you know what you're doing.
    HOSTLEET.COM, LLC - Elite Website Hosting Since 2008!
    Fast Reliable Affordable Secure Friendly & Courteous
    RISK-FREE Money Back Guarantee PCI-Compliant Checkout
    U.S.A Based & Operated Read Through Our Most F.A.Q's!

  20. #20
    Join Date
    Mar 2003
    Location
    Canada
    Posts
    8,908
    Quote Originally Posted by HostLeet View Post
    Advise clients to ALWAYS password protect their WP admin folder, as recommended by WordPress.. http://codex.wordpress.org/Hardening...uring_wp-admin

    This, along with CAPTCHA, should take care of brute-force attacks. Don't forget to also advise your clients to FULLY secure WP, as well. There are many tutorials and guides available on the web, and most are very easy to implement. WP can be very secure, if you know what you're doing.
    We have huge issues getting people to keep WordPress up to date... never mind all of that.
    Patrick William | RACK911 Labs | Software Security Auditing
    400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com

    www.HostingSecList.com - Security notices for the hosting community.

  21. #21
    Join Date
    Nov 2008
    Location
    Florida, U.S
    Posts
    1,683
    Quote Originally Posted by Patrick View Post
    We have huge issues getting people to keep WordPress up to date... never mind all of that.
    I understand that, every host does I'm sure. However, A comprehensive and very detailed KnowledgeBase + regular notices/emails (automated or manual) to each of your clients can do wonders.. You'd be surprised at how many of your customers actually listen to and trust YOUR advise, as their web host.

    They signed up with your company because they saw you as a leading expert in hosting, so you already have that advantage. Therefore, any advise you can give your clients, specially if it helps protect their website, will be noticed.
    HOSTLEET.COM, LLC - Elite Website Hosting Since 2008!
    Fast Reliable Affordable Secure Friendly & Courteous
    RISK-FREE Money Back Guarantee PCI-Compliant Checkout
    U.S.A Based & Operated Read Through Our Most F.A.Q's!

  22. #22
    Join Date
    Dec 2005
    Posts
    3,077
    Quote Originally Posted by mbr View Post
    This will also prevent legimate users from accessing the wp-login.php right?
    If you have certain sites being attacked you can use this and allow legitimate IP's though with the allow directive. It's still going to put stress on Apache but far less than parsing a PHP file.

    Obviously you should use caution if you have a heap of wordpress sites on a server, you will want to add it per virtualhost instead of server-wide.

    Every hit to a blocked file is logged globally, usually in /etc/httpd/logs/error_log e.g.

    Code:
    [Tue Apr 09 22:05:28 2013] [error] [client xx.xx.xx.xx] client denied by server configuration: /home/USER/public_html/wp-login.php
    You could easily create a little bash script to pull IP's from this and ban them. It's not difficult..
    Last edited by PCS-Chris; 04-09-2013 at 05:14 PM.

  23. #23
    Join Date
    Feb 2012
    Location
    Europe
    Posts
    452
    Here too. The IP 94.242.237.111 was making some suspicious hits similar to the bruteforce attacks, after blocking this IP the attacks stopped completely. You can try to do the same, it may be the IP they are using now to test the server/site before beginning the attack.
    miscis.com - Providing domains and premium hosting solutions at an affordable price
    cPanel+Softaculous | 99.9% Uptime SLA | CloudLinux | Daily Backups
    █ Accepting PayPal, Credit/Debit Cards, Liberty Reserve
    Currently in Netherlands, EU & Arizona, USA

  24. #24
    Here too, saw a blip ealier today, servers went crazy several hours ago.

    I've put together rate limiting in modsec for all wp-login.php pages across our cPanel platform.

  25. #25
    Join Date
    Dec 2012
    Location
    localhost
    Posts
    294
    Same thing happening here. Most of the sites hosted on our servers that are WP are under attack!

Page 1 of 14 123411 ... LastLast

Similar Threads

  1. Replies: 11
    Last Post: 05-01-2013, 11:51 PM
  2. .htaccess and login issue
    By DWebby in forum Hosting Security and Technology
    Replies: 4
    Last Post: 07-08-2010, 10:26 AM
  3. phpmyadmin login issue
    By Charles Mason in forum New Members
    Replies: 0
    Last Post: 07-25-2008, 01:30 PM
  4. PHP login form issue
    By WillGR in forum Programming Discussion
    Replies: 13
    Last Post: 05-31-2008, 05:40 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •