As you may know, Tuesday, a widespread “brute force” attack against WordPress sites started impacting sites across the internet. This attack is leveraging a botnet which looks to have more than one hundred thousand different computers at its disposal. Its intent is very simple: to find and compromise WordPress sites with simple passwords, to likely later use them to distribute malware (and further increase the size of the botnet).
On Tuesday, our admins discovered this attack as we investigated increased load and decreased performance on our hosting servers. We quickly identified this as a widespread attack on the WordPress login page. The attack was a large one (hundreds of hits a second to many WordPress sites spread across our infrastructure). It became quickly obvious we needed to act fast. At this point, the fastest solution was to drop all traffic to the WordPress login page (wp-login.php) while we worked on a better plan.
The downside to this, of course, is that we blocked legitimate access for customers who wanted to login to WordPress. We knew that was not an acceptable solution for very long, so we immediately went to work on a better solution. We truly apologize if we kept you from logging into your WordPress, but we felt that keeping your site up (but not allowing you to login), was the better option.
With the infrastructure stabilized, we dug in and started investigating better solutions. We reached out to some partners and other groups on the web, and collaborated on some security rules that would help mitigate the attack. These security rules are, in a sense, rules based on behavior: if a single IP address or browser used the wrong password on a WordPress site more than a handful of times in a few minutes, we would ban that IP address for a period of time. This rule would help us allow legitimate customers to login to WordPress, but would stop the attacker after a number of bad attempts.
We rolled these changes out Tuesday afternoon. It took a few tries to find the right balance to block the bad guy but not keep a legitimate user from logging into their WordPress site. The attack subsided overnight.
The attack returned in force on Wednesday as we reached peak business hours. This made it obvious that the attack was based off a botnet—likely using the computers of unsuspecting office workers coming in for a normal day of work! We spent Wednesday tweaking rules and working with other folks in the industry to share tips, tricks, and findings.
By this point, between ourselves and our partners, we were approaching having flagged nearly that hundred thousand IP addresses, and more new IP addresses were showing up every second. Even though we were stopping much of the attack, it was so large that simply handling the traffic was starting to impact our servers.
The team was able to keep things stable for most of Wednesday, working hard to tweak rules as we or our colleagues identified new trends.
By Thursday, it was clear that the attack was not subsiding. The first thing we did was to roll out a new heuristic-based set of rules, that would look historically at our growing set of log data, identify patterns, and block the attack based on that data, not just on current bad behavior, but combinations of bad behavior.
That put a big dent into the attack. But the attack was still big enough to be causing our servers to run at a higher than normal load.
Our breakthrough happened on Thursday, as our team looked through data on the web and data in our logs. We found a difference between the way the attack accesses WordPress and legitimate customers access WordPress. Thursday afternoon, we rolled that change out to our edge servers (before the traffic even reaches the web server that might be hosting your site) to drop any traffic that didn’t look legitimate.
Hundreds of hits a second dropped to nearly none.
We’ve been rolling this change out across our data centers and seeing much of the attack mitigated. This is allowing us to focus less on just keeping things running and more on the proactive work of heading off the next variant of this attack. The attack, as it usually does, has started to pick up again today during peak business hours, but thus far, we’re not feeling the effects.
We head into the weekend in good shape, but vigilant against a returning or altered attack. In the meantime, our support team is ready to help you if you are feeling any lingering effects (the most common one might be if your IP got marked as a possibly bad IP). If you’d like to help make your site stronger, we recommend changing your WordPress password to a secure one, if you haven’t already.