Recently here at Land of Technology we’ve been unable to log into the site which has affected us posting however we thought it was a local issue until I noticed it was affecting several sites I know to be running on the WordPress blogging system.
Here is what my hosting provider had to say:
Due to a recent large scale WordPress wp-login.php brute force attack coming from an extremely large amount of IP addresses with no geographical or specific range or signature, we’ve been forced to take immediate action to attempt to alleviate some of the load being generated by this. Arvixe as well as any other hosting provider providing PHP and WordPress hosting is being impacted by this. This can be seen with a quick search:
To clear up some confusion, a large botnet has been attempting to break into WordPress websites by continually trying to guess the username and password to get into the WordPress admin panel. This has caused increased server load and in turn performance and growing issues over the last couple days. This morning, this reached a critical threshold where nearly every Arvixe server was facing overly critical load issues.
What we are doing:
Two days ago, in an attempt to provide immediate relief, we sent out Linux server changes which throttled refreshes and login attempts to all wp-login pages. This method proved to be effective for about a 24 hour period. As the attack worsened, it started becoming apparent that each IP making the request was no longer making more then 1-2 attempts every couple minutes, masking the "attack" as typical traffic but the issue then became that such a large assortment of IP’s are being used. As such, using mod_security, about 15 minutes ago, we pushed out a rule to return "406 not acceptable" for any attempts to browse to a "wp-login.php" file.
This change should prove to be temporary until we can roll customers being impacted by this into CloudFlare whch has been able to successful identify a signature and is scrubbing traffic as we speak
For now, this is all of the information we have, and we hope to have more information as well as normal service resumed soon.
Your patience during this time is appreciated.
Keeping in consideration:
While this is providing relief, the attack is still hitting the Apache instance and slightly higher then average load is still being experienced on the Linux shared server front. This does also appear to be impacting Windows servers although its slightly less apparent.
To keep this thread straight and to the point and in an attempt to provide uncluttered information, we are locking this and will simply be using this to provide updates to our customers as we have them. Should you have questions, we ask that you reach out to our support via phone or live chat for any clarification, although our staff will have access to similar information which is already being provided here.