Massive increase in Wordpress logins

Post Reply
Paarsch
Junior Member
Posts: 5
Joined: 05 Apr 2017, 11:00

Massive increase in Wordpress logins

Post by Paarsch »

Hello!

I'm not sure if anyone else is seeing the same trend, but i am noticing a massive increase in wp-login attempts lately. This is something i see in the logs of most domains across most, if not all my hosting servers. The originating countries are all over the world; USA, UK Germany Vietnam, Indonesia to Brasil.

Some domains have login attempt from a staggering 5000~6000 unique IP addresses a day. I made a regex rule specifically for these attempts which works as it should. Only because of the shear volume my deny list gets completely flush at least once a day. The logs look like this:

Code: Select all

[18/Jun/2019:00:35:26 +0200] "GET /wp-login.php HTTP/1.0" 200 1872 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
[18/Jun/2019:00:35:27 +0200] "POST /wp-login.php HTTP/1.0" 200 2306 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
[18/Jun/2019:00:35:28 +0200] "GET /wp-login.php HTTP/1.0" 200 1872 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
[18/Jun/2019:00:35:28 +0200] "POST /wp-login.php HTTP/1.0" 200 2288 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
Is anyone else seeing this trend? what would be a suitable solution to these attacks? dump all the IP's in a extra IP block list? Or is there a more elegant solution?

Kind Regards.
mikerotec
Junior Member
Posts: 2
Joined: 29 Jul 2019, 16:35

Re: Massive increase in Wordpress logins

Post by mikerotec »

:) Can you share that regex rule? I'm new to this, and we get a lot of similar 'multiple-IP' exploits...
Post Reply