Spike in WordPress Login Attacks

Stargate has recently noticed an increase in login attacks against WordPress sites.

When malicious scripts on remote computers discover the login page of a WordPress site, they hammer the page with a large number of brute-force login attempts to try and break in. While almost all attempts fail, the net result is that the server gets bogged down, negatively impacting the performance of all web sites hosted on that server.

WordPress security plugins are not enough

There are a number of popular plugins that can be added to WordPress to enhance its security. While this is certainly a step in the right direction, most of these do not help with this particular problem. In fact, some of these plugins actually make the problem worse. This is because WordPress itself causes the load, and the security plugins add even more load.

Blocking IP addresses is not enough

In many instances, the IP address involved in a brute-force login attempt is the same over several hundred hits, and they often come from countries known for hacking activity. However, blocking specific IP addresses is not a suitable approach. The addresses still change regularly, and in many cases, the IP address represents another compromised computer, not the actual person doing the attacking. We could block one IP address only to be attacked by another a few hours later.

Recommendation: Restricting WordPress logins to known IP addresses

The majority of WordPress sites we host are used for content management, wherein the login page is not meant for the general public — it's only needed for a few people who update the site. In these instances, our recommendation is to block access to the WordPress login page entirely except for the few people who are authorized to use it.

Stargate has already put in place a number of "Access Restricted" blocks on several customer WordPress sites when we discovered they were under attack. We do this by:

1. adding a simple PHP script that states the login is restricted, and lets the user know what their IP address is
2. adding a redirect in the site's .htaccess file that sends all requests for the WordPress login to the above script, except for white-listed (authorized) IP addresses
3. the customer and/or their web developer(s) can then either send us their IP address(es), or add them directly to the .htaccess file themselves

The benefit of this approach is that WordPress never loads for any unauthorized login attempts, and therefore does not overload the server.

Please contact webupdates@stargate.ca if you would like this feature proactively added to your site hosted with us.

Stargate may add this block without a customer request

When Stargate notices a drop in server performance due to these types of attacks, we will respond by adding our login block to the targeted sites to restore server performance. We will then notify the customer and/or their developer that we have done this.

Remember – although these attacks target specific sites, the performance drop affects everyone on a shared server. Stargate reserves the right to take whatever measures are necessary to protect the security and performance of our network, its servers and all of our customers using these services.