60,000 hits on wp-login

I got over 60,000 hits overnight on my CThreePO.com domain. Someone was doing a dictionary attack. I have my websites setup to block this on the first attempt. The Robot got 60,000 403 “access denied” error messages but kept on chugging along going through its password dictionary. Idiots!

I have to add these robots to my htaccess file because if I had 60,000 hits to a PHP file my web host would shut me down. When I first started using this host I was getting lots of angry messages from my hosting company about excess CPU time. It turns out that having a deny ip in the htaccess does not count as CPU time. In the beginning Yandex was hitting my sites over 100,000 times a day. I blocked Yandex and then I have been plugging leaks a little at a time ever since. In the beginning about 95% of the hits to my site were robots. Now I am down to about 20%.

I have a real problem with spammers getting a hold of an Amazon AWS instance and running their robots for a few hours. Amazon always catches them quickly, but there are also some good Amazon based apps hitting my site and I don’t want to block them. I have to be very careful with automatic blocks when Amazon is involved. Amazon has to stop giving away free or cheap trials from fraudulent users.

As I block more and more IP addresses, I get fewer malicious hits on my website. This is a bad thing because it makes it harder to test my new routines. I had no good hits on my known exploits routines , all were blocked by the htaccess file so I don’t know if my new modules are correctly blocking hits to exploited plugins. All morning I’ve had only one new IP address, and that was from a Chinese computer doing a login attempt that was caught the first time it hit my site – boring. I never thought that I would say this, but I need more spammers!

3 Responses to “60,000 hits on wp-login”

  1. Ok, well if you’re running cpanel, you can put all the ip ranges that you’re no longer interested in – say all of Russia or China or N Korea – in there, and that will bring your htaccess way down. My 2c.

    I’m a mere beginner at this stuff, so I’m probably not telling anything you don’t already know.

    Keep up the good work.

    Russell.

  2. Keith says:

    Keith,

    The truth is, I want spammers. I leave comments and registrations wide open on this site, but if you try anything, you are immediately blocked. I am spammer hunting.

    I am now writing code to harvest spam ip ranges from the Stop Forum Spam lists. My htaccess is about a quarter of a meg (too big) and I working on ways of shrinking it down.

    Right now the spammers aren’t winning, but I am not declaring victory either. It is a fun hobby and I am learning more about spammers and malicious robots than I ever wanted to know.

    Keith

  3. Found you via permalink finder 404 plugin – works out of the box and will save me, I’m sure, heaps of time and bother.

    I use a wp-login renamer plugin named, somewhat predictably, Rename wp-login.

    https://wordpress.org/plugins/rename-wp-login/

    If you have cpanel, try playing with the cphulk blacklist. I’ve got the Russians down to 1 a day or fewer, the Chinese are largely sorted, and I’m now working on Vietnam. Down from well over a hundred hits a day to probably 20.

    I could probably redirect some of my spammers if you *really* want me to. 🙂

    Cheers,

    Russell

Leave a Reply