For a long time, we have been observing increasingly frequent attacks involving attempts to log into WordPress. It’s about trying to break a password. These are references to the address /wp-admin but most of it leads to the destination address, which is used to log in to the WordPress cockpit /wp-login.php
There are many attempts to log in. We present examples of statistics of login attempt from the last few days from our servers:
Day: 01.04.2019 – 1 612 536 login attempts
Day: 02.04.2019 – 1 790 586 login attempts
Day: 03.04.2019 – 1 220 636 login attempts
Day: 04.04.2019 – 1 841 637 login attempts
Day: 05.04.2019 – 949 847 login attempts
What causes such attacks ?
- a password may be broken when the attacker “guesses” it.
- the number of connections in WordPress can saturate the number of processes in the hosting account and as a result, the site may stop displaying to legal users. Server every connection must handle and he does not know which is real and which is an attack.
- the number of attacking connections is reflected in the performance of the entire server – machines are chosen in such a way that they have a reserve of “power” – thousands of attempts to log into the WordPress cockpit can be compared to a DDoS attack (distrubuted denial of service). Often during such an attack, the server load increases and when it does not stop responding altogether (which happens very rarely), however, due to the higher load on the website, customers may respond more slowly.
Protection logging into WordPress on Smarthost hosting.
For several days, we have introduced advanced rules that block attacks associated with logging into WordPress. The principle of operation is simple: if there are 3 attempts to log in to WordPress in less than 10 seconds we treat this connection as an attack and we block this IP for 5 minutes.
The advantages of our WordPress security solution:
- we minimize the ability of the attacker to guess the password
- we minimize the number of processes used on the client account
- we relieve the web server, which means that customer websites work better
Protection is enabled on all our servers.