Super Plugin Sale! Your Choice: BOGO or 30% Off »
Web Dev + WordPress + Security

Protect Against Brute-force/Proxy Login Attacks

[ Solomon Grundy of the Legion of Doom ] For the past week, I’ve been monitoring activity from a set of IP addresses involved with brute-force login attacks. Brute-force login attacks involve systematic guessing of passwords using various common usernames such as “admin” and “username”. So for example, an attack will target an array of sites, use “admin” as the username, and then make numerous attempts at “guessing” your password. And to obfuscate their malicious activity, the attack is executed from multiple IP addresses, either via proxy or possibly a botnet.

There are some good plugins and scripts that protect your login page against brute-force attacks, but some of them do so by blocking the attacker’s IP address. For example, if someone or something makes 10 unsuccessful login requests, a login-protection script may automatically block the associated IP address and thwart the attack. So by using multiple IPs, the attacker increases the number of “undetected” login attempts and decreases the likelihood of getting blocked.

Best protection against bruteforce attacks

The best protection of course is to choose strong passwords and change them regularly. With strong passwords, the chance of a successful brute-force login-attack decreases to virtually zero. And, if you’re heavily targeted (or just paranoid), additional measures may be taken to protect against login attacks. Setting up secondary HTTP password protection is an excellent way to further lock things down. Either of these strategies should protect your site against brute-force attacks, but we can do even more with a bit of .htaccess.

Specific protection for a recent bruteforce/proxy threat

Most brute-force login attacks target a general collection of websites, using common usernames such as the dreaded “admin”. For example, I’ve been monitoring a recent wave of brute-force/proxy login attacks targeting a variety of different sites. By using “admin” as the username, they’re not even in the ballpark, so it’s most likely not a specifically targeted attack.

Scanning the server logs, I’m seeing an increase in the number of failed login attempts for an array of sites. Someone’s trying to get in, and they’re using multiple IPs to make the requests. At first I wasn’t sure how many different IPs were involved, but there were literally so many requests that I began noticing a pattern of similar IPs. So I began logging the different IPs associated with this recent wave of brute-force login attacks.

After two weeks enduring and monitoring the attacks, the botnet seems comprised of the following IP addresses:

Each of these IPs continues to attempt brute-force login attacks, and may be blocked with the following slice of .htaccess:

# 2012 bruteforce botnet
<limit GET POST PUT>
	Order Allow,Deny
	Allow from all
	Deny from
	Deny from
	Deny from
	Deny from
	Deny from
	Deny from
	Deny from
	Deny from
	Deny from
	Deny from
	Deny from
	Deny from
	Deny from
	Deny from
	Deny from
	Deny from
	Deny from
	Deny from
	Deny from
	Deny from
	Deny from

When placed in the .htaccess file in either the root directory or the directory housing your login page(s), this tasty slab of Deny directives will block this recent bruteforce proxy or botnet from even accessing your pages. It’s entirely plug-n-play — no editing required. Just remember to remove this “mini-blacklist” at some point in the future, as IPs and malicious activity tend to change over time.

Note If any of these IPs belong to anyone reading this, your machine is either hacked or a proxy server and is being used for malicious intent on the Internets.

About the Author
Jeff Starr = Designer. Developer. Producer. Writer. Editor. Etc.
BBQ Pro: The fastest firewall to protect your WordPress.

12 responses to “Protect Against Brute-force/Proxy Login Attacks”

  1. George Serradinho 2012/10/02 8:21 pm

    I have a few WP sites and had to take some serious steps as I installed Login Attempts and some activity plugin and checked the username was 90% ‘admin’ and 10% ‘lmbellclyd’.

    Thanks for the IP addresses.

  2. Michael Clark 2012/10/03 4:48 pm

    The idiots hitting my server are an entirely different set of IP addresses. My wp-login.php is set to automatically add their IP address to the .htaccess.

    • Oh yes, they use milllionz of different IPs no doubt, this was just one example of how to block using some real, recent data. Plugins that block based on individual IPs work fine, but as mentioned allow for more login attempts before actually stopping a particular brute-force attack.

  3. Brad Dalton 2012/10/07 5:45 pm

    I prefer to use the Wordfence plugin which alerts you to repeated login attempts so you can easily block the I.P’s. No need to add them to your .htaccess.

    This plugin tracks all I.P addresses so its easy to block any and it also includes limit login attempts and m any of security features.

  4. Having just a personal site with wordpress and another with codeigniter I do the following
    1.Install ZB Blockfor php sites

    2. of course follow good security practices for logins as noted on Jeff’s site here(the “G series”)

    3. Go to ipinfobd and get the IP ranges of any and all countrys I want to block and put that in my .htaccess file. I find that helps stop a great many attacks

    4. Check any passwords I generate at GRC for strength

  5. Igor Aleksic 2012/11/02 4:09 am

    Another protection step, i was thinking of making is implementing another field as a secondary password which basically has a 18 character filed with strong password generated by You wont be able to remember it but it will sure not be that easy to hack, plus you will have to save it somewhere and copy paste it every time you want to login.

    But talking about wordpress except the G5-G6 techniques discussed here you can do the following.

    1. Change the admin name to something else
    2. Generate a 18 string password
    3. Lock the admin area to your ip only / or lock the admin and wp-login.php url in generall so only when you want to login delete them, when you finish write them again… This step may seem a bit of hassle but if you want to be secure you’ll do it.
    • Jeff Starr 2012/11/02 2:03 pm

      Excellent tips, Igor! I agree completely, and would add to change passwords often (or as often as possible) :-)

  6. Alok Tiwari 2013/01/10 12:38 am

    Please update your list with these Ip’s. So It least others can be updated. These IP’s are involved in Brute-force attacks on my server. I had blocked them. Others are recommended to block these IP’s to safe guard their WordPress based installations. All of these IP’s tried to penetrate using admin user name.Not having admin user name is a good idea. But complete blocking junk traffic is wise idea.Hope this helps.

    #Kimsuffi Network hacks are banned

  7. Alok Tiwari I dont know about brute force attacks but I can tell you everyone of those IP’s except one are big hitters on the Stop Forum Spam database as well.

    In addition to Jeffs block list I also compare IP’s against the SFS block list

  8. I usually banned those IPs using “Better WP Security” plugin setting a longer time stamp.

    Am I depend on this or should I also put those IPs in .htaccess?

  9. Shahran Profector 2013/04/04 8:56 pm

    Deny from188.143.232
    Deny from 190.220.229
    Deny from 66.85.162
    Deny from 89.233.216
    Deny from 78.154.105
    Deny from 89.233.216
    Deny from 173.38.155

    Trouble is they are not complete IP’s, and maybe some who are not bad, will get blocked :(

Comments are closed for this post. Something to add? Let me know.
Perishable Press is operated by Jeff Starr, a professional web developer and book author with two decades of experience. Here you will find posts about web development, WordPress, security, and more »
USP Pro: Unlimited front-end forms for user-submitted posts and more.
All free plugins updated and ready for WordPress 6.6 dropping next week. Pro plugin updates in the works :)
99% of video thumbnail/previews are pure cringe. Goofy faces = Clickbait.
Crazy that we’re almost halfway thru 2024.
I live right next door to the absolute loudest car in town. And the owner loves to drive it.
8G Firewall now out of beta testing, ready for use on production sites.
It's all about that ad revenue baby.
Get news, updates, deals & tips via email.
Email kept private. Easy unsubscribe anytime.