The call was coming from inside the onion.
October 21, 2015 10:00 AM   Subscribe

The Wordpress blog that I manage is being attacked from Tor nodes. Is there anything that I can do about it?

I maintain a Wordpress blog that is constantly being attacked from foreign IP addresses trying to guess our password and gain access. I have installed plugins (Wordfence in particular) as part of my security management of the blog to monitor and ban individual or ranges of addresses that frequently try to access the site, and this has been successful for about a year, but now the domains that are attacking the blog are Tor nodes. I think that I understand enough about Tor nodes to know that this is a sad subversion of their intended use and that blocking them will not keep them from being misused or their abusers from using the same domains to continue attacks. In the past, attempts to report abuse to domain names have gone unanswered.

Do I have any other recourse? I would prefer not to block Tor nodes as I know they are not always used for evil, but I am very limited to what I can otherwise do to the blog itself - there is no budget for any paid solution, and I can't do anything to the blog that would make it difficult for someone with little to no experience to use if I were taken off of its administration with no notice. While their probably is a better platform than Wordpress, requests to move the blog are more likely to get it shut down due to the "hassle" (my supervisor expects everything to "just work" and to require minimal effort and understanding), so "stop using Wordpress" is not bad advice, but not really helpful.

Semi-related question: If a certain domain hosting a Tor relay is being abused, does that make it untrustworthy?
posted by koucha to Technology (10 answers total) 6 users marked this as a favorite
If there are only a limited number of people managing your blog, can you whitelist their IP addresses?
posted by theraflu at 10:04 AM on October 21, 2015 [4 favorites]

I want to say I feel your pain; I manage servers with dozens of wordpress installations, and nearly every day there's one with 35,000 hits to wp-admin ; we use Login Lockdown, but as you've seen, attacks that come from a myriad of IP addresses aren't really deterred by IP blocking.

My biggest suggestion is to just make sure you're properly managing your passwords, if you've got a newer Wordpress install (and I hope you've updated lately) make sure your admin user isn't "Admin", and then even though they're hitting your site thousands of times they're not actually getting in, and aren't able to cause any trouble. Their 'hits' don't use much bandwidth -- they're just bots trying to authorize, they're downloading as little data as possible -- and be vigilant in monitoring for unusual activity. The attackers can't force their way in without login credentials, so this is the equivalent of someone with a big keyring at a padlock. If they don't have the key, they're not getting through, even if it's annoying to have them there, trying every key, before giving up.

(Aside from login attempts: make sure you're updating plugins. Cleaning up after a hacked plugin is a huuuuuuge pain in the ass. They're a bigger security risk than a direct attack on wp-admin).
posted by AzraelBrown at 10:07 AM on October 21, 2015 [1 favorite]

If a whitelist isn't an option, I would try setting up a captcha on the login page.
posted by pocams at 10:13 AM on October 21, 2015 [4 favorites]

If you haven't renamed wp-login.php and the admin area, try that too. You can do the login manually, but if you want to hide wp-admin, you're better off with a plugin. iThemes Security and several others will do that for you.
posted by mimi at 10:30 AM on October 21, 2015 [1 favorite]

You could drop $20/month protection money to put it behind CloudFlare and get their wordpress attack filters.
posted by mattamatic at 10:38 AM on October 21, 2015 [1 favorite]

Create another administrator account and remove the admin account completely.
posted by DarlingBri at 10:51 AM on October 21, 2015 [3 favorites] disables wp-login.php by default. This works well if you have shell access and can log-in there where you can re-enable wp-login.php (changing permissions), log-in, change the permissions back to deactivate wp-login.php, and you're done (once you're logged in you can keep working in Wordpress even while wp-login.php is inaccessible). It's a hoop to jump through but it really isn't that bad and it seems to shut down a bunch of these kinds of Wordpress attacks (since they are not attempting to gain shell access). Since the folks at do this even if you don't want them to I assume it must be a Good Thing.
posted by bfootdav at 11:07 AM on October 21, 2015

I use two plugins "Stealth Login Page" and "SF Move Login." One requires a PIN to login, and the other moves the login page to a URL that you specify. This combo has worked for me.
posted by Otis at 12:10 PM on October 21, 2015 [2 favorites]

You can enable two factor auth for wordpress. The basic idea is simple, right now you log in with a single "factor", something you know. The basic factors you can authenticate with are:

-Something you know (a password)
-Something you have (a token)
-Something you are (biometric)

You're worried because someone might guess the thing you know. You can strengthen this by requiring multiple factors to log in, meaning even if they guess your password they'd be unable to login unless they had a second factor of auth.

Duo is an example of a product that provides this, is pretty easy to use, and I want to say free for under 5 users? Basically when you log in with a password, a little thing pops up on your phone and you press the green button and then you're logged in. This is two factor in that it is something you know, and something you have (your phone).

Duo is particularly easy to use, but there's also Google Authenticator which I believe is free. If you search for "wordpress two factor auth" my guess is you'll find a few solutions, one of which should work for you.
posted by yeahwhatever at 7:14 PM on October 21, 2015

In Wordpress security threads I always mention the NinjaFirewall plugin because it's still working great for me (on 8 sites). Bonus: It plays nice with Wordfence which I use to throttle login attempts and crawlers.
posted by yoHighness at 9:48 AM on October 22, 2015

« Older Giving my bicycle some TLC   |   Vitamin B breaking me out! HELP! Newer »
This thread is closed to new comments.