Question
Brute force attack on my WP install by someone on my server
- Posted August 20, 2014
Hello all,
I just wanted to know how to report this somewhere. I’ve been slowly getting accustomed to using Digital Ocean as my host (excellent support here in the forums, BTW - I’m getting a LOT of great info, specially on security), and I have a WordPress site I set up a couple of months ago. In addition to fail2ban on the server, I’ve also put in some stuff on my WP site. One of the plugins I’m using logs attempts at brute force attacks. I was going through those logs today, and I was surprised to find a brute force attack on my site from someone on my exact server. The IP address is only a couple of digits from my own (which is what caught my attention - for a few minutes, I actually thought it was my IP address and I freaked out a bit).
Thankfully, everything’s working like it should, but it seems like I should be able to report the IP address of the person trying to get access to my site, since it’s quite obviously a Digital Ocean customer that’s doing it. Anyone know how I can go about reporting this person? or is it just one of those “not much you can do” issues and I should forget about it?
Any advice on what I should do will be appreciated :) Thanks!
These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.
Try DigitalOcean for free
Click below to sign up and get $100 of credit to try our products over 60 days!
Hi, We created one free wordpress plugin to report login bruteforce attacks and improve the security. www.ReportAttacks.com Regards, Bill
Sorry, I was not trying to imply you don’t know your stuff, I was genuinely interested in hearing what you were using, and if used the changing your login page trick.
As I mentioned, it has worked for me for a year, but someone has suggested it is only a matter of time before that stops working. So I am curious to know what other WordPress people are using, and what works.
To answer your questions, I’m a WordPress developer by trade (been working solely in WordPress since version 1.5, been a web developer for 15 years overall) - so I’m not clueless when it comes to what to do with WordPress. So to answer the question of “what have I done so far”, I’d have to review and give you a list :) There’s standard stuff I do for myself and my clients any time I do a WP install.
Server administration, however - on a non-local scale - is a bit on the “I still have a lot to learn” side. I’m thoroughly enjoying this process, though :) Mail is what’s the most fun (i.e. OMGwhywontitworkNOW) for me right now, to be honest.
Anyway, the plugin I have installed stopped the attack (they kept trying to log in as “admin” - which…well duh. No.) so I’m not concerned that they got in and did anything. The thing that got me was it was another DO customer, on my server. That was what surprised me. So I’ll be emailing the info/log to the abuse team.
Thanks so much :)
Regarding the specific question of what to do if you are seeing brute force login attempts from an IP address that you suspect belongs to another DigitalOcean user, emailing abuse@digitalocean.com will log an abuse complaint for investigation. When in doubt, open up a support ticket so the team can take a look at the specifics. In either case, copies of the logs would be helpful.
Thanks!
Just out of curiosity: what Wordpress steps have you taken?
I use login-lockdown, which is basic and works nicely. But the other big thing I do on all of the Wordpress sites I manage is to change the login page from wp-login.php to something else. (I change it up on every site)
It is not difficult to do, and has reduced brute-force attacks to zero on every site I do that (and has been working for me for about a year now) Once I have everything working with the new login page, I then lock-down the wp-login.php page using .htaccess
I should probably write a tutorial on how to do this because it seems to come up very often. There are a bunch of descriptions for it via google but I had trouble finding one that was clear.
It looks like there is a plugin that sort of does this for you: http://wordpress.org/plugins/rename-wp-login/
But I think I still prefer doing it manually so I know exactly what is going on.