Page 1 of 9 1234 ... LastLast
Results 1 to 40 of 346
  1. #1
    Join Date
    May 2009
    Location
    Bangladesh
    Posts
    131

    wp-login.php issue

    Today i faced an weird issue. While monitoring our servers i saw hanging wp-login.php process from few WordPress user. When the process start hanging on the server, it also overload the server. I tried checking the wp-login.php file but found nothing suspicious in it.

    anyone having such issue?
    TetraHost Bangladesh
    Shared Hosting | Reseller Hosting | Shoutcast Radio Hosting
    Biased for true hosting experience - www.tetrahostbd.com

  2. #2
    Join Date
    Dec 2005
    Posts
    3,077
    Is it the latest version of wordpress?

    Wordpress is being targeted heavily at the moment due to the number of recently security issues so chances are it was someone trying some of those issues to break into the install.

  3. #3
    Join Date
    May 2009
    Location
    Bangladesh
    Posts
    131
    Yes, most of the account is updated.
    TetraHost Bangladesh
    Shared Hosting | Reseller Hosting | Shoutcast Radio Hosting
    Biased for true hosting experience - www.tetrahostbd.com

  4. #4
    Join Date
    Dec 2005
    Posts
    3,077
    We've had the same thing on a few servers, just have to keep an eye on it at the moment

  5. #5
    Join Date
    Oct 2004
    Posts
    294
    yep, same here on all servers I manage, overload due to brute force to wp-login.php.

    Do you have any idea how to prevent this? any csf rule that will block more than X attempts to wp-login.php in XX seconds?

  6. #6
    Join Date
    Dec 2005
    Posts
    3,077
    If you are running Apache you could try using FilesMatch. I think this would work:

    Code:
    <FilesMatch wp-login.php>
    Order Allow,Deny
    Allow from xx.xx.xx.xx
    Deny from all
    </FilesMatch>
    Replace xx.xx.xx.xx with the main shared IP of your machine, you could put this inside a virtualhost or if you were running cPanel one of the pre-global include files in /etc/httpd/conf/

  7. #7
    Join Date
    May 2009
    Location
    Bangladesh
    Posts
    131
    just block the wp-login.php using mod_sec rules, that will stop the issue for now.
    TetraHost Bangladesh
    Shared Hosting | Reseller Hosting | Shoutcast Radio Hosting
    Biased for true hosting experience - www.tetrahostbd.com

  8. #8
    Join Date
    Mar 2003
    Posts
    446
    I am experiencing this too with some accounts lately. WP installations are probably under attack.

  9. #9
    Join Date
    Mar 2003
    Posts
    446
    Quote Originally Posted by PCS-Chris View Post
    If you are running Apache you could try using FilesMatch. I think this would work:

    Code:
    <FilesMatch wp-login.php>
    Order Allow,Deny
    Allow from xx.xx.xx.xx
    Deny from all
    </FilesMatch>
    Replace xx.xx.xx.xx with the main shared IP of your machine, you could put this inside a virtualhost or if you were running cPanel one of the pre-global include files in /etc/httpd/conf/
    This will also prevent legimate users from accessing the wp-login.php right?

  10. #10
    Join Date
    Mar 2003
    Location
    Canada
    Posts
    8,908
    Yeah, we're seeing a HUGE amount of brute forcing attempts against WordPress in the last 24 hours.

    All kinds of ranges, they are just going nuts against all wp-login.php's causing some load issues here 'n there.
    Patrick William | RACK911 Labs | Software Security Auditing
    400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com

    www.HostingSecList.com - Security notices for the hosting community.

  11. #11
    Join Date
    Mar 2003
    Location
    Canada
    Posts
    8,908
    Quote Originally Posted by tetrahost View Post
    just block the wp-login.php using mod_sec rules, that will stop the issue for now.
    ... and how will people (non-admins) then log into their WordPress sites?
    Patrick William | RACK911 Labs | Software Security Auditing
    400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com

    www.HostingSecList.com - Security notices for the hosting community.

  12. #12
    Join Date
    Feb 2004
    Location
    Toronto, ON, Canada
    Posts
    1,404
    Is there an outage currently at wordpress ?

    Because I have been getting a lot of connection issue when trying to browse for plugins within the system.

    Perhaps this is related to the wp-login.php ?
    VimHost█ Providing Web Hosting since 2003: 13 Years of Dedication to our customers
    Email Hosting | RTMP Hosting | FFMPEG Hosting

  13. #13
    Join Date
    Mar 2003
    Posts
    446

  14. #14
    Join Date
    Oct 2004
    Posts
    294
    Quote Originally Posted by mbr View Post
    but what we can do on servers side? it is hard to install plugins for few hundret wordpress installations... we are searching for any solution based on mod_sec / mod_evasive or csf...

  15. #15
    Join Date
    May 2009
    Location
    Bangladesh
    Posts
    131
    Quote Originally Posted by Patrick View Post
    ... and how will people (non-admins) then log into their WordPress sites?
    lol! sorry, i didn't complete the sentence! that is a temporary solution! when you have multiple server and thousands of wordpress site, you must act quickly and find a quick solution!

    btw, you can also ask your service provider to enable the ddos guard on the server IP which will resolve the issue as well.

  16. #16
    Join Date
    Mar 2003
    Location
    Canada
    Posts
    8,908
    Hard to block at the server level, mod_security will be no good. If the attackers were using a certain GET/POST string then it would be possible to filter on that... but since it's a brute force attack then it's much harder to filter. In theory, mod_evasive should work once the threshold is reached.
    Patrick William | RACK911 Labs | Software Security Auditing
    400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com

    www.HostingSecList.com - Security notices for the hosting community.

  17. #17

    wp-login.php massive attack

    Just wanted to add a "me-too" to this thread. We have several cPanel/WHM servers, and all of our servers are heavily loaded at the moment, with a wide-range of random IP addresses worldwide hitting / posting to wp-login.php at rates up to 30 times per SECOND.

    We are blocking offending IPs as fast as we can, but it is a bad game of whack-a-mole.

    I've tried to use the CONNLIMIT feature of ConfigServer Firewall (for example 80;5 to limit each IP to 5 new connections to port 80) but it does not do anything to help.

    Many of our customers have the Wordfence plugin to prevent brute force logins, but it's also not effective.

    FYI, there are some new WordPress BruteForce Tools and I suspect they are causing the problem. Do a Google search for "WPBforce WordPress Brute Force Tool" (I can't provide the link since apparently I'm a WHT noob)

  18. #18
    Join Date
    Mar 2012
    Posts
    368
    We are also facing same issue at this moment.
    ImpressHost Premium Web Hosting| USA, Franch and UK Location
    Shared Hosting | Reseller Hosting | cPanel/WHM | LiteSpeed Server | RAID 10
    30 Day Money Back Guarantee - 99.9% Uptime Guarantee - Daily Backups

  19. #19
    Join Date
    Nov 2008
    Location
    Florida, U.S
    Posts
    1,683
    Advise clients to ALWAYS password protect their WP admin folder, as recommended by WordPress.. http://codex.wordpress.org/Hardening...uring_wp-admin

    This, along with CAPTCHA, should take care of brute-force attacks. Don't forget to also advise your clients to FULLY secure WP, as well. There are many tutorials and guides available on the web, and most are very easy to implement. WP can be very secure, if you know what you're doing.
    HOSTLEET.COM, LLC - Elite Website Hosting Since 2008!
    Fast Reliable Affordable Secure Friendly & Courteous
    RISK-FREE Money Back Guarantee PCI-Compliant Checkout
    U.S.A Based & Operated Read Through Our Most F.A.Q's!

  20. #20
    Join Date
    Mar 2003
    Location
    Canada
    Posts
    8,908
    Quote Originally Posted by HostLeet View Post
    Advise clients to ALWAYS password protect their WP admin folder, as recommended by WordPress.. http://codex.wordpress.org/Hardening...uring_wp-admin

    This, along with CAPTCHA, should take care of brute-force attacks. Don't forget to also advise your clients to FULLY secure WP, as well. There are many tutorials and guides available on the web, and most are very easy to implement. WP can be very secure, if you know what you're doing.
    We have huge issues getting people to keep WordPress up to date... never mind all of that.
    Patrick William | RACK911 Labs | Software Security Auditing
    400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com

    www.HostingSecList.com - Security notices for the hosting community.

  21. #21
    Join Date
    Nov 2008
    Location
    Florida, U.S
    Posts
    1,683
    Quote Originally Posted by Patrick View Post
    We have huge issues getting people to keep WordPress up to date... never mind all of that.
    I understand that, every host does I'm sure. However, A comprehensive and very detailed KnowledgeBase + regular notices/emails (automated or manual) to each of your clients can do wonders.. You'd be surprised at how many of your customers actually listen to and trust YOUR advise, as their web host.

    They signed up with your company because they saw you as a leading expert in hosting, so you already have that advantage. Therefore, any advise you can give your clients, specially if it helps protect their website, will be noticed.
    HOSTLEET.COM, LLC - Elite Website Hosting Since 2008!
    Fast Reliable Affordable Secure Friendly & Courteous
    RISK-FREE Money Back Guarantee PCI-Compliant Checkout
    U.S.A Based & Operated Read Through Our Most F.A.Q's!

  22. #22
    Join Date
    Dec 2005
    Posts
    3,077
    Quote Originally Posted by mbr View Post
    This will also prevent legimate users from accessing the wp-login.php right?
    If you have certain sites being attacked you can use this and allow legitimate IP's though with the allow directive. It's still going to put stress on Apache but far less than parsing a PHP file.

    Obviously you should use caution if you have a heap of wordpress sites on a server, you will want to add it per virtualhost instead of server-wide.

    Every hit to a blocked file is logged globally, usually in /etc/httpd/logs/error_log e.g.

    Code:
    [Tue Apr 09 22:05:28 2013] [error] [client xx.xx.xx.xx] client denied by server configuration: /home/USER/public_html/wp-login.php
    You could easily create a little bash script to pull IP's from this and ban them. It's not difficult..
    Last edited by PCS-Chris; 04-09-2013 at 05:14 PM.

  23. #23
    Join Date
    Feb 2012
    Location
    Europe
    Posts
    452
    Here too. The IP 94.242.237.111 was making some suspicious hits similar to the bruteforce attacks, after blocking this IP the attacks stopped completely. You can try to do the same, it may be the IP they are using now to test the server/site before beginning the attack.
    miscis.com - Providing domains and premium hosting solutions at an affordable price
    cPanel+Softaculous | 99.9% Uptime SLA | CloudLinux | Daily Backups
    █ Accepting PayPal, Credit/Debit Cards, Liberty Reserve
    Currently in Netherlands, EU & Arizona, USA

  24. #24
    Here too, saw a blip ealier today, servers went crazy several hours ago.

    I've put together rate limiting in modsec for all wp-login.php pages across our cPanel platform.

  25. #25
    Join Date
    Dec 2012
    Location
    localhost
    Posts
    294
    Same thing happening here. Most of the sites hosted on our servers that are WP are under attack!

  26. #26
    Join Date
    Mar 2003
    Location
    Canada
    Posts
    8,908
    Alright, I think I have a mod_security rule to help mitigate the brute forcing. Add this to your global mod_security config. In my case, it is modsec2.user.conf:

    <LocationMatch "^/wp-login.php">
    SecAction initcol:ip=%{REMOTE_ADDR},pass,nolog,id:313371
    SecAction "phase:5,deprecatevar:ip.counter=1/1,pass,nolog,id:313372"
    SecRule IP:COUNTER "@gt 10" "phase:2,pause:120,deny,status:406,setenv:RATELIMITED,skip:1,nolog,id:313373"
    SecAction "phase:2,pass,setvar:ip.counter=+1,nolog,id:313374"
    Header always set Retry-After "10" env=RATELIMITED
    </LocationMatch>
    Also make sure you have SecDataDir specified somewhere otherwise that rule isn't going to work. My initial tests seem to indicate that it works... but I have yet to confirm if that's the case with an actual attack... they all seemed to have died down for the night? Should know by morning if that works or not, the bold parts probably needs some adjusting.
    Last edited by Patrick; 04-09-2013 at 10:22 PM.
    Patrick William | RACK911 Labs | Software Security Auditing
    400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com

    www.HostingSecList.com - Security notices for the hosting community.

  27. #27
    Join Date
    Oct 2012
    Location
    Europe and USA
    Posts
    915
    This issue with wp-login.php caused us headaches today.
    Fortunately, on servers where we run CloudLinux the total CPU load increase was minor, as the attacked account did not affect others and the entire resource usage of the server did not increase.

    As a temporary measure, to protect Wordpress installations from brute force login and hacks, we created a script which found all attacked wp-login.php files on the server and set their permissions to 000 (non executable and non readable) and notified the affected customers. With permissions 000, wp-login.php was displaying a "403, access denied" message. We let the customers know that if they need to login, change temporarily the permissions of wp-login.php to 755 and after logging in, change them again to 000.

    We are working on a more permanent solution though.
    Last edited by NetworkPanda; 04-09-2013 at 10:34 PM.
    Network Panda :: Web Hosting SSD Powered :: Reseller Hosting
    Instant activation, fast servers, SSD disks, cPanel, Softaculous 1-click apps installer, R1Soft, SSL certificates
    Multiple hosting locations: USA, Canada, France, UK, Germany, Italy, Spain, Poland, Finland

  28. #28
    Join Date
    Mar 2003
    Posts
    446
    Would you guys know which country the attacks are coming from?

  29. #29
    Join Date
    Mar 2003
    Location
    Canada
    Posts
    8,908
    Quote Originally Posted by mbr View Post
    Would you guys know which country the attacks are coming from?
    Everywhere. I'm fine tuning that mod_security rate limiting rule... that will be the answer once I can confirm with 100% certainty that it's effectively stopping the brute forcing + load spikes.
    Patrick William | RACK911 Labs | Software Security Auditing
    400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com

    www.HostingSecList.com - Security notices for the hosting community.

  30. #30
    Join Date
    Mar 2003
    Location
    Canada
    Posts
    8,908
    Alright, here is an updated version of that mod_security rule:

    <LocationMatch "^/wp-login.php">
    SecAction initcol:ip=%{REMOTE_ADDR},pass,nolog,id:313371
    SecAction "phase:5,deprecatevar:ip.counter=2/30,pass,nolog,id:313372"
    SecRule IP:COUNTER "@gt 1" "phase:2,pause:300,deny,status:406,setenv:RATELIMITED,skip:1,nolog,id:313373"
    SecAction "phase:2,pass,setvar:ip.counter=+1,nolog,id:313374"
    </LocationMatch>
    The rule will be tripped if there are more than 2 requests per every 30 seconds to wp-login.php from the same IP address - I think? Some further testing seems to indicate that it works... like I said earlier, you need SecDataDir set somewhere for that rule to work.

    If someone else has a better suggestion or makes those rules above more efficient, have at it.
    Patrick William | RACK911 Labs | Software Security Auditing
    400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com

    www.HostingSecList.com - Security notices for the hosting community.

  31. #31
    Join Date
    Jan 2010
    Location
    USA
    Posts
    2,148
    We have been seeing this for months. Hackers are trying to brute force guess the WordPress admin account password in every site that uses WordPress.

    Use CloudLinux to throttle the CPU usage per site, so no single site can overload the server when this happens. (latest CloudLinux6 is fantastic) And tell all of your WordPress based customers to install the Better WP Security pluggin. That pluggin will auto-block IP addresses that hammer on the login page. It keeps the CPU usage in check nicely.

    Also, once customers install the Better WP Security pluggin, it is easy for the customers to change the admin username. If you change the admin username, hackers will never be able to guess the password for admin since the username will no longer be admin.
    No Support Linux Hosting Bargain cPanel Hosting Experts Only
    We IGNORE the support questions, and pass the SAVINGS on to YOU!
    We also ignore questions about VPS Hosting

  32. #32
    Join Date
    Apr 2002
    Location
    USA
    Posts
    5,776
    We saw the same issue across several servers today.
    I used ddos deflate and set the threshold at about 30 that seems to have slowed them down quite a bit.

    From what I could see the pattern was 20-30 logins at a time wait about 1-2 seconds and then 20-30 more attempts, I suspect that was their way of avoiding things such as CSF from blocking them. Since it was hitting several wordpress sites at once from different IPs it was getting impossible to lock them down by hand. However ddos deflate seems to have slowed them down. Patrick I will give your mod sec rule a go if they come back again later which I suspect they will see which works best.

  33. #33
    Join Date
    Apr 2011
    Location
    Core Files
    Posts
    7,580


    ........

  34. #34
    Join Date
    Mar 2003
    Posts
    446
    Quote Originally Posted by PCS-Chris View Post
    If you are running Apache you could try using FilesMatch. I think this would work:

    Code:
    <FilesMatch wp-login.php>
    Order Allow,Deny
    Allow from xx.xx.xx.xx
    Deny from all
    </FilesMatch>
    Replace xx.xx.xx.xx with the main shared IP of your machine, you could put this inside a virtualhost or if you were running cPanel one of the pre-global include files in /etc/httpd/conf/
    Using this code, is it possible to add "allowed" installations like allow "/home/foo/public_html/wp-login.php" and "/home/bar/public_html/wordpress/wp-login.php" but block all else?

  35. #35
    Join Date
    Mar 2003
    Location
    Canada
    Posts
    8,908
    Just to confirm, I have seen real world attacks now being filtered by that mod_security rule I posted last night. Seems to be working with the 2 for every 30 second rule.


    modsec2.user.conf:

    <LocationMatch "^/wp-login.php">
    SecAction initcol:ip=%{REMOTE_ADDR},pass,nolog,id:313371
    SecAction "phase:5,deprecatevar:ip.counter=2/30,pass,nolog,id:313372"
    SecRule IP:COUNTER "@gt 1" "phase:2,pause:300,deny,status:406,setenv:RATELIMITED,skip:1,log,id:313373"
    SecAction "phase:2,pass,setvar:ip.counter=+1,nolog,id:313374"
    </LocationMatch>
    modsec2.conf:

    Make sure SecDataDir is present. For example, I use: SecDataDir /usr/local/apache/logs/modsec and that directory has to be exist and be writable by the web server. I have it chowned root:nobody and that seem sufficient.
    Edit:

    I changed the SecRule from nolog to log so that the requests will show up in Apache's error_log. When the rate limit is tripped and the request denied with a 406 Not Acceptable code, this is how it will show up in the error_log:

    [error] [client 173.252.x.x] ModSecurity: Pausing transaction for 300 msec. [hostname "domain.com"] [uri "/wp-login.php"] [unique_id "UWVVwkPekOMAAELdSJ4AAAA2"]
    [error] [client 173.252.x.x] ModSecurity: Access denied with code 406 (phase 2). Operator GT matched 1 at IP:counter. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "168"] [id "313373"] [hostname "domain.com"] [uri "/wp-login.php"] [unique_id "UWVVwkPekOMAAELdSJ4AAAA2"]
    Last edited by Patrick; 04-10-2013 at 08:08 AM.
    Patrick William | RACK911 Labs | Software Security Auditing
    400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com

    www.HostingSecList.com - Security notices for the hosting community.

  36. #36
    Join Date
    Dec 2005
    Posts
    3,077
    Quote Originally Posted by mbr View Post
    Using this code, is it possible to add "allowed" installations like allow "/home/foo/public_html/wp-login.php" and "/home/bar/public_html/wordpress/wp-login.php" but block all else?
    A lot of my clients are web design/development firms so its not a problem as only the developers need the ability to login.

    If you are on a typical shared environment you are better off ratelimiting with mod_security. I just prefer to ban the IP's at the firewall before the requests reach apache.

  37. #37
    Quote Originally Posted by Patrick View Post
    <LocationMatch "^/wp-login.php">
    The regex having ^ at the start will only match Wordpress installs on the root of the domain.

    To catch ones that are installed in sub-directories from the ^ from the match:

    Code:
    <LocationMatch "/wp-login.php">

  38. #38
    Join Date
    Mar 2003
    Location
    Canada
    Posts
    8,908
    I should mention with the code I posted above, make sure you have a proper ErrorDocument 406 setup in the the global Apache or mod_security config. For example:

    modsec2.user.conf:

    <LocationMatch "/wp-login.php">
    SecAction initcol:ip=%{REMOTE_ADDR},pass,nolog,id:313371
    SecAction "phase:5,deprecatevar:ip.counter=2/30,pass,nolog,id:313372"
    SecRule IP:COUNTER "@gt 1" "phase:2,pause:300,deny,status:406,setenv:RATELIMITED,skip:1,log,id:313373"
    SecAction "phase:2,pass,setvar:ip.counter=+1,nolog,id:313374"
    </LocationMatch>

    ErrorDocument 406 "Not Acceptable"
    When a bot or a user tries to brute force wp-login.php they will receive a simple plain text page saying Not Acceptable instead of being redirected to a WordPress error page. This will help cut down on the load issues even further.
    Patrick William | RACK911 Labs | Software Security Auditing
    400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com

    www.HostingSecList.com - Security notices for the hosting community.

  39. #39
    Join Date
    Mar 2003
    Location
    Canada
    Posts
    8,908
    Quote Originally Posted by steadramon View Post
    The regex having ^ at the start will only match Wordpress installs on the root of the domain.

    To catch ones that are installed in sub-directories from the ^ from the match:

    Code:
    <LocationMatch "/wp-login.php">
    Didn't see that, thanks! I have reported this thread to a mod to have them remove the old code and create a summary on the front to save people time.
    Patrick William | RACK911 Labs | Software Security Auditing
    400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com

    www.HostingSecList.com - Security notices for the hosting community.

  40. #40
    Quote Originally Posted by Patrick View Post
    Didn't see that, thanks! I have reported this thread to a mod to have them remove the old code and create a summary on the front to save people time.
    As a side note I also have

    Code:
    SecRule REQUEST_METHOD "(^POST$)" ...
    in the ruleset to match only when actually POSTing data to wp-login.php

Page 1 of 9 1234 ... LastLast

Similar Threads

  1. Replies: 11
    Last Post: 05-01-2013, 11:51 PM
  2. .htaccess and login issue
    By DWebby in forum Hosting Security and Technology
    Replies: 4
    Last Post: 07-08-2010, 10:26 AM
  3. phpmyadmin login issue
    By Charles Mason in forum New Members
    Replies: 0
    Last Post: 07-25-2008, 01:30 PM
  4. PHP login form issue
    By WillGR in forum Programming Discussion
    Replies: 13
    Last Post: 05-31-2008, 05:40 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •