Times for The Times Admin? That's me! A couple of weeks ago our TimesforTheTimes website started getting a plague of false registrations of new members.
This was on top of a constant hammering of bots trying to login to the site. The new registrations were easy to spot as they hadn't come via our User Registration page so I was able to just delete them. But I decided to do something about stopping the attacks getting through.The site is very successful,,, here are some stats from last week, and site hasn't been live for a year yet.
And success brings attention from the bots. It is built on Wordpress, which is a very popular platform... which also means it attracts attackers. From the beginning we have been protected by this plug-in...
Firstly, to defeat the spurious registrations, I made a change to our User Registration configuration to disable the default login screen. That got rid of those and some of the brute force login attack bots.
My idea was that if a bot keeps trying and keeps finding it is still locked out, it would give up and go and pester another Wordpress site.
...which I configured to lockout any user getting their password time 3 times in a row, and increase the lockout time with further failed logins.
Even so we were getting lots of attacks, and they were increasing over time - up to 300 lockouts a day by early this month. Here is an extract from the log from 4th April.
For security reasons I have not included the usernames they were trying to login with.
But we were still getting a lot of attacks.
None of the userids they were trying are real usernames on our site.
Next I blocked the XML-RPC access with this...
and renamed the login entry point with this...
I also changed the Limit Login Attempts configuration to be more draconian...
Nearly there, but there was one stubborn bot remaining...
It was no use manually blocking the IP addresses it was using as it seemed to have an infinite supply from all over the world. The 45.x.x.x addresses, for example, are in The Seychelles. This bot also had a strategy of trying random combinations of 2 letters as the username so it could keep pestering despite the constant lockouts.
But then I had a brainwave and came up with one other configuration change. I won't say what it is! After 24 hours with no further attacks from the bot I reset the Limit Login Attempts parameters to something less unfriendly to real users. And for the last 6 days the only failed attempts logged have been from 3 real users who have forgotten their passwords.
Success! I appear to have won this battle. But will the war continue?
Well done John. Now if you can help me block all the spam emails I receive… 😉
ReplyDelete