Website being attacked

mayo.mick

Hope this is in the right forum.
I set up a wordpress site for our local tidy towns 18 months ago. Everything was sound until a few months ago when we started getting a lot of comment spam, 30/40 a day. Some posts seem to attract more than others. Askimet is catching all the spam. I have captcha enabled, 8+?=13. While its not a major problem, its very annoying. What can I do to stop it?

On a more serious note though, about a month ago the site is being bombarded with log-in attempts. I am being alerted from wordfence security, these log-in attempts are all coming from the same ip. I've done a search and its located in Amsterdam. Who can I report it to or get it blocked/blacklisted? I've changed the log-in limit to 5, I think it was set at 13. They are using "admin" all the time.

Thanks for any help.

Graham

Have you had a chat with your hosting company?

Do you have a dedicated IP address or are you using a shared IP address?

colm_c

Do a Whois lookup and find their ISP, send their abuse department a nice email.

Also block the IP address in htaccess or on the firewall.

To be honest, just keep everything up to date (Wordpress etc), and have a strong password for any accounts on Wordpress and you should be good. There's always script kiddies trying to log into Wordpress and other cms's.

Samba

Some of these options should also do the trick

mayo.mick

Graham, I'm on a shared ip address, would that make any difference? I'm sponsoring the site myself, getting basic price for hosting as its voluntary.

Colm_c I update plug-ins/themes as soon as available. I hold back on core wordpress updates for a few days in case of any bugs.

I thought I might be able to do something myself before contacting the hosting company. Passwords are pretty strong, don't use admin for any log-ins anywhere.

Thanks for your help.

Talisman

Setup Basic Authentication on the wp-admin folder.

How to Password Protect Your WordPress Admin (wp-admin) Directory

Graham

As you're on a shared IP it might be worth looking at cloudflare.com, they have a free service which includes DNS, caching, some threat protection and IP blocking.

Setup is fairly easy, should take you less than 5 minutes if you have access to change your name servers.

uck51js9zml2yt

Graham wrote: »

As you're on a shared IP it might be worth looking at cloudflare.com, they have a free service which includes DNS, caching, some threat protection and IP blocking.

Setup is fairly easy, should take you less than 5 minutes if you have access to change your name servers.

+1 on cloud flare.
its really easy to set up and provides a threat analysis module

Graham

Not just analysis, even the basic offering allows you to block specific IPs/IP ranges. They also have some funky automatic thing going on in the background, haven't really given that much notice though.

uck51js9zml2yt

Graham wrote: »

Not just analysis, even the basic offering allows you to block specific IPs/IP ranges. They also have some funky automatic thing going on in the background, haven't really given that much notice though.

the network learns from itself and what might be a threat in one location is blocked network wide.

As well as the threat module it also provides good visitor analytics.

jester77

What server is running the website?

This is how I handle it with ngnix, built with the HttpGeoipModule module. It's a bit extreme as it is an all or nothing approach but for me that is ok.

In the server config, I've added the following, most spam comes from Taiwan, China and Russia so I block all those users:

    geoip_country /usr/share/GeoIP/GeoIP.dat;
    map $geoip_country_code $allow_visit {
        default yes;
        TW no;
        RU no;
        CN no;
    }

Then you can settings for the site like so that anyone connecting from those countries will get no response:

if ($allow_visit = no) {
    return 444;
}

Edit:

Just seen your additional info. If it's just one particular user, then block that user using IP Tables. Also setup fail2ban and this will automatically block users who break the predefined rules by adding them to the IP Tables list.

lynchie

jester77 wrote: »

Just seen your additional info. If it's just one particular user, then block that user using IP Tables. Also setup fail2ban and this will automatically block users who break the predefined rules by adding them to the IP Tables list.

That works fine on dedicated servers but on shared hosting you dont control the firewall nor can u run iptables / fail2ban etc..

Graham

lynchie wrote: »

That works fine on dedicated servers but on shared hosting you dont control the firewall nor can u run iptables / fail2ban etc..

+1 that's why I was asking about shared IP addresses and suggested Cloudflare.

Samba

Graham wrote: »

+1 that's why I was asking about shared IP addresses and suggested Cloudflare.

Tyvm for the suggestion Graham, fantastic service for folks like me on SH.

I signed up last night not only does it give you added security, I noted a considerable increase in site performance after playing around with additional settings and options.

That's me sorted until I need to go down the cloud based or dedicated hosting route.

onemorechance

Shared hosting v shared IP.

I have heard of shared hosting before, but not shared IP.

I would have though that your website's IP would not ever change, even if you were sharing a hosting server? I assumed that shared hosting meant that ye were on the same physical server or server instance, but that each website would still have a unique IP.

From looking up, I see that this can happen and the hostname is used instead. Is cost-saving the only reason for doing this?

Is it common on shared-hosting that IP's are not dedicated?

Graham

onemorechance wrote: »

I assumed that shared hosting meant that ye were on the same physical server or server instance, but that each website would still have a unique IP.

From looking up, I see that this can happen and the hostname is used instead. Is cost-saving the only reason for doing this?

Is it common on shared-hosting that IP's are not dedicated?

You'd hardly ever get a dedicated IP address on a shared hosting package. Many hosts offer it at extra cost.

One of the main reasons to get a dedicated IP in the past is to support SSL which requires a dedicated IP address (not true all of the time now but shared IP/SSL not supported by all browsers).

This isn't just a cost issue, IP addresses are becoming a scarce commodity.

onemorechance

Graham wrote: »

You'd hardly ever get a dedicated IP address on a shared hosting package. Many hosts offer it at extra cost.

One of the main reasons to get a dedicated IP in the past is to support SSL which requires a dedicated IP address (not true all of the time now but shared IP/SSL not supported by all browsers).

This isn't just a cost issue, IP addresses are becoming a scarce commodity.

What's the story with IPv6? Is it intended to just supplement IPv4, or to eventually phase it out completely? Will IPv4 addresses be converted to IPv6, or will both remain for the fore-seeable future.

I guess it's a big ask to expect all resources on the web to convert to IPv6.

Graham

onemorechance wrote: »

What's the story with IPv6? Is it intended to just supplement IPv4, or to eventually phase it out completely? Will IPv4 addresses be converted to IPv6, or will both remain for the fore-seeable future.

I guess it's a big ask to expect all resources on the web to convert to IPv6.

IPv4 and IPv6 networks will run in parallel

mayo.mick

Hi guys, just a quick update. I did another whois check on the ip and its based in Russia. I got onto the hosting company and gave the the ip, all the attacks have being coming from the same address. Simplest thing to do was block/blacklist the ip. Will let you know of any further updates. Thanks to everyone for taking the time to help out and give me solutions to the problem!

oscarBravo

onemorechance wrote: »

What's the story with IPv6? Is it intended to just supplement IPv4, or to eventually phase it out completely?

They'll coexist for a very long time, with IPv6 slowly becoming the standard and IPv4 slowly becoming legacy.

Will IPv4 addresses be converted to IPv6, or will both remain for the fore-seeable future.

At the moment you don't have a choice but to have a v4 address on your website as most of the Internet doesn't have a routable v6 address. As v6 takes off, it will become the norm to have both v4 and v6 addresses, and there will come a point - a long way off - when websites will start to have only v6 addresses, and those remaining ISPs that don't support v6 will have to offer something akin to NAT to access them. At least, that's my best guess as to where things are going.

I guess it's a big ask to expect all resources on the web to convert to IPv6.

It would be a big ask to expect it to happen in a hurry, but v6 isn't actually all that hard to implement. Something like 2% of Google's traffic is IPv6 at the moment. I must check and see what percentage of my own traffic is v6 - I suspect it's a reasonable amount, as I'm accessing Google, YouTube, boards.ie and a few others via IPv6.

On the question of conversion, it won't work that way. Hosting providers who currently have one IPv4 address per shared-hosting server, allocated from a block of maybe a couple of thousand in total, will instead have probably 2^80 IPv6 addresses to allocate, so there's no good reason not to allocate a dedicated IPv6 address to each virtual host. I have 2^64 IPv6 addresses on my home network. I'm not in danger of running out any time soon

jmcc

oscarBravo wrote: »

They'll coexist for a very long time, with IPv6 slowly becoming the standard and IPv4 slowly becoming legacy.

Very slowly. I maintain a working copy of all routable IP addresses and there's still a lot of IPv4 activity. I also ran a website > IP survey of all com/net/org/biz/info/mobi/asia/us domains earlier this month and built tables of datacentres and ISPs. Now the diminishing IP ranges stuff might make a lot of nice headlines for the technology churnalists but as with most things, they haven't a clue beyond simple press releases.

Shared hosting generally means shared IPs and some IPs have hundreds of thousands, or in some cases millions of websites hosted. Most hosters will not allocate a static IP to a shared hosting package due to internal network concerns. They often split their shared and dedicated clients into different networks and subnets for various reasons.

Regards...jmcc