How to Troubleshoot and Fix a Brute-Force Attack in WordPress on a DigitalOcean Droplet
While running a WordPress installation through a hosting service can be a convenient way to start a website, it’s not without security vulnerabilities that may sometimes be hard to troubleshoot. Brute-force attacks, cyberattacks that rapidly work to guess and access personal information like logins or passwords, happen when these vulnerabilities are exploited. Brute-force attacks can be placed within any vulnerability, and can sometimes originate from your website.
When facing brute-force attacks from your Droplets on DigitalOcean, it’s imperative to remove the threat quickly. While there are a number of ways to identify and remove compromised files vulnerable to attack, this tutorial aims to provide you with some steps to help you detect, resolve, and secure your WordPress installation(s) across DigitalOcean Droplets from vulnerabilities in the future.
Step 1 — Identify the Source of the Brute-Force Attack
The first step in troubleshooting an issue with a brute-force attack initiated from your Droplet is to identify the malware responsible for the malicious traffic. There are numerous tools and options available, but ClamAV ( http://www.clamav.net/ ) is a good tool to initially attempt to identify and remove the malware.
Most Linux distributions have ClamAV in their package management system, and typically you’ll need to install ClamAV and then run it.
- For Ubuntu, Debian, and most Debian-based distributions, you can run:
- sudo apt-get install clamav clamav-daemon
- For CentOS 8 you need to enable the EPEL ( https://fedoraproject.org/wiki/EPEL ) repo, which is an official repository of packages supported by the Fedora project, and then install ClamAV.
You can do so with a single command:
- dnf --enablerepo=epel -y install clamav clamav-update
Once ClamAV is installed, you can scan your system with:
- clamscan --infected --recursive /path/to/wordpress/sites
Replace the highlighted path with the correct path for your WordPress site. The
--recursive parameter will make sure that the command is configured to recurse through subdirectories, and the path we used in this example points to the root folder where all WordPress installations are located. This way, with a single command you can scan all your WordPress sites. ClamAV will then return a list of all files it finds suspicious, but will not take any action yet. After investigating which files ClamAV detected as suspicious and confirming they can be safely removed without causing further damage to your system, you might want to re-run the command with the
--remove option to remove the infected files.
--remove will delete any files it finds suspicious with no input from you, so it is NOT RECOMMENDED to run with
--remove as your first scan until you can confirm the results.
In cases where ClamAV does not find any malware, you will need to manually investigate and find the malware. While there are several ways to do this, a good starting point is to find and identify any recently uploaded files, based on the file’s timestamp information.
To do this, use the ‘find’ command:
- find /path/to/wordpress/site -mtime -DAYS
To use this command, replace the
/path/to/wordpress/site with the file path to your WordPress site, and
-DAYS with how many days to go back. For example, if you wanted to look back 1 day, it would be
-1; to look back 10 days, it would be
Take time to investigate any files that were uploaded or modified that you’re unaware of.
Step 2 — Update your WordPress Installation
After identifying the malware, the next step to preventing malicious attacks from reoccurring is to update your WordPress installation. It’s wise to patch WordPress and any themes or plugins installed, to ensure that, if the compromise was in a plugin or theme’s install directory, you have removed and reinstalled that plugin or theme. You may be able to remove all malicious files, but in most cases, a clean installation of a compromised component is preferred.
You can perform these updates from within WordPress’ administration UI in most cases, which doesn’t require the use of any additional tools. WordPress also offers an automatic update option that you’re encouraged to enable in order to reduce the time your websites might be vulnerable to newly discovered security issues.
Another helpful piece of advice in preventing malicious attacks is to update all components, even the ones that are marked as inactive. In some situations, even disabled plugins and themes may be accessible and able to be compromised if not kept updated. If you’re sure you don’t need a theme or plugin, the best course of action would be to remove it in its entirety.
In some cases, a theme or plugin may be abandoned by the author, and while you have the most recent version installed, the plugin or theme may have an issue that has not been fixed. In this case, you may need to consider other options for substituting the abandoned component that is currently updated, but was still the source of a compromise.
Step 3 — Secure Your WordPress Installation Against Malicious Attacks
Once you have both removed any malicious files and ensured all components are updated, it’s time to secure your WordPress installation. The next step we recommend is to change all passwords for users that have access to the administration UI, especially those that have full admin rights, or the ability to upload or modify file contents.
Checking your filesystem permissions if you’re not aware of the current configuration is also an important step in securing your WordPress installation, as the wrong permissions can allow file read and write access you didn’t intend. WordPress provides a good outline of what the settings should be and how to update them here.
As a step in securing your Droplet’s installation, you can also install a plugin to limit the amount of failed login attempts, which dramatically reduces the risk of brute force attacks. The wp-limit-login-attempts plugin is a popular option to use.
Finally, consider using a WordPress security plugin like Jetpack or Wordfence. These plugins help actively combat intrusion attempts and provide a final layer of security to ensure that your site is only used for what you intend.
An alternative to using a server-side plugin like Jetpack or Wordfence would be to investigate if Cloudflare’s caching and Web Application Firewall (WAF) service might be a good fit for your specific use case. To learn more about this option, check out CloudFlare’s documentation.
Navigating troubleshooting options when brute-force attacks originate from your Droplets can be cumbersome, but in this tutorial, we shared some steps to help you detect, resolve, and secure your WordPress installation(s) across Droplets. For more security-related information to help manage Droplets, check out our Recommended Security Measures article.