attack on wordpress websites. How to stop it!

I have a server that hosts several WordPress websistes. They are all being attacked. Below is the description of the attack:

"Wordpress arbitrary file download attack"

The attack is slowing down my sites tremendously. And I need to fix this ASAP.
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Jason C. LevineDon't talk to me.Commented:
Install WordFence

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
AleksAuthor Commented:
I am installing it on all wordpress websites see if that helps.
Jason C. LevineDon't talk to me.Commented:
It should.  You will want to let it go for a few hours and allow it to configure itself and see if it starts blocking IP addresses.
SolarWinds® Network Configuration Manager (NCM)

SolarWinds® Network Configuration Manager brings structure and peace of mind to configuration management. Bulk config deployment, automatic backups, change detection, vulnerability assessments, and config change templates reduce the time needed for repetitive tasks.

AleksAuthor Commented:
That makes sense, so far all sites still running very slow ... sill installing in some sites ..
Jason C. LevineDon't talk to me.Commented:
Go to the Live Traffic section in WordFence and use the different tabs to isolate attackers.  Then use Advanced Blocking to begin to shut them down.
AleksAuthor Commented:
I installed the plugin on each site, then stopped all sites and turn one on. Still super slow.
Jason C. LevineDon't talk to me.Commented:
Like I said, you may need to track accesses and begin blocking IP ranges manually. Without seeing it live, I can only give you some basic steps.  

If you are on shared hosting and the ISP is under attack, nothing you do may matter.
AleksAuthor Commented:
I added the IPs manually, it shows that it is 'blocking them' but they are still making it to the login page.
Isn't blocking supposed to prevent them to reaching the login page ?

I checked the server log and it still gets hits from those IP's

Any other ideas ?  This is not working so far.

Example of one site is: ... it takes forever to load because of this attacks. It already has the plugin installed and set it to High security and added the IP's. Not sure what else to do.

I searched more and Symantec says there is no available solution for this issue:
Dan CraciunIT ConsultantCommented:
If you've grown enough to have your own server and be the target of a DDOS attack, then maybe it's time to use a CDN. Cloudflare is expensive, but their business pack is used by many large sites to mitigate DDOS attacks:

If you want to solve this yourself and have ssh + root access to the server, you could try fail2ban:

AleksAuthor Commented:
I have my own server but the cost of the server is pretty much the same as that of cloudfare and it is per site, so that's not an option. Plus on this server I host only about 10 sites and some email accounts. I also use it to test new code, etc.

The second option looks similar to the one above.
Dan CraciunIT ConsultantCommented:
You said "they are still making it to the login page".

Using iptables and fail2ban will block the IPs at the firewall level.
Jason C. LevineDon't talk to me.Commented:
About the only other thing I can recommend is Sucuri's Web Site firewall:

which is similar, albeit a bit better, to CloudFlare.  But we're moving into expensive territory.
AleksAuthor Commented:
It appears to be that way. We tried using windows firewall to block those IPs as well but somehow they still make it to the login page ... or it seems that way. I will check the logs tomorrow see if they were able to get in throughout the night.
Dan CraciunIT ConsultantCommented:
Oh, you're on Windows. Scratch the fail2ban option.

After this attack is finished, you might want to consider switching to a Linux Server.
You'll have a faster server and more security options.
AleksAuthor Commented:
Woulnd't the also be solved with a Wordpress firewall plugin ?
Jason C. LevineDon't talk to me.Commented:
Woulnd't the also be solved with a Wordpress firewall plugin ?

No, because the traffic has already reached you at that point.  You need to stop this before it hits your server and clogs it up. If the attack is truly a DDoS, then internal WP solutions won't best they will prevent intrusion but they can't stop a DDoS
AleksAuthor Commented:
It already slowed down the server. What if I rename the login pages they are trying to login to ?
Dan CraciunIT ConsultantCommented:
Then you server will return 404 pages. Which, if you personalized them in Wordpress, are still stored in MySQL, so the connection will still happen.
AleksAuthor Commented:
Nothing seems to help. Even though I changed the name of the login page the traffic is still querying the server and slowing it down. I decided to get a physical firewall to stop the traffic before it hits the server. Thanks everyone.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.