During last few weeks I’ve witnessed repeated semi-successful attacks against WordPress sites. This attack is easy to recognize – server response is extremely slow and if you take a look at apache ‘server-status’ page you will see multiple ‘POST /wp-login.php’ requests from different IPs.
The Source IPs are varied which suggests that some botnets are involved. It’s very easy to identify the attack by the web server error log because regardless of the source IP all requests have the identical User Agent. Here is the typical log entries from the attack:
1 2 3 4 |
[Tue Aug 27 13:52:35 2013] [error] [client 93.159.16.143] Invalid URI in request POST User-agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0, referer: http://domain.com/wp-login.php [Wed Aug 28 10:34:32 2013] [error] [client 31.210.86.205] Invalid URI in request POST User-agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0, referer: http://domain.com/wp-login.php [Wed Aug 28 22:04:56 2013] [error] [client 72.29.68.51] Invalid URI in request POST User-agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0, referer: http://domain.com/wp-login.php [Thu Aug 29 11:25:10 2013] [error] [client 209.51.142.178] Invalid URI in request POST User-agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0, referer: http://domain.com/wp-login.php |
Since I have not seen the success of these attacks other then denial of service for the whole server – CPU load goes through the roof, RAM gets exhausted then swap and server becomes unresponsive.
How to avoid it? Relatively easy – you need to add some rewrite rules to the main site .htaccess file.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 |
<IfModule mod_rewrite.c> RewriteEngine On RewriteBase / RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteRule . /index.php [L] </IfModule> # END WordPress <IfModule mod_rewrite.c> RewriteEngine on RewriteCond %{REQUEST_METHOD} =POST RewriteCond %{HTTP_REFERER} !^http://(.*)?.domain.com [NC] RewriteCond %{REQUEST_URI} ^/wp-login\.php(.*)$ [OR] RewriteCond %{REQUEST_URI} ^/wp-admin$ [OR] RewriteCond %{USER_AGENT} .*Gecko\/20100101.*18.0$ RewriteRule ^(.*)$ - [R=403,L] </IfModule> |
I specifically added %{USER_AGENT} matching rule because some time ago attackers started providing proper %{HTTP_REFERER} field in their requests.
Don’t forget to replace “domain.com” with the name of your domain.
0 Comments.