Wordpress arbitrary file download attack

I have a server that hosts a few wordpress websites, they are being attached the title of the post is the notification I get.

I have installed a firewall and WordFence on each wordpress website. They get locked out but nonetheless they can still try to login, also they seem to be using dynamic IP's so its impossible to block them this way.

They are still hitting the server hard and it slows it down dramatically.

We also installed a firewall but because the IP's change all the time we can't block them and traffic still makes it to the server.

What else can we do ?
How come this huge security issue has not been addressed by WordPress ?  I am sure am not the only one.
LVL 1
AleksAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

mankowitzCommented:
Are the attackers trying to get the admin password? If so, you might consider using this: https://wordpress.org/plugins/botnet-attack-blocker/
AleksAuthor Commented:
Well admin or any user for that matter I guess. I already installed a wordpress firewall and wordfence, they won't get through, that is not the problem, the problem is they are still able to send queries and hit the sites hard. Slowing down the whole server.

If I delete the login page then there would be no place to login. I can move it to another folder outside the web. Do you know which page is the login for the admin ?
mankowitzCommented:
the admin page is usually

http://xxxxxx.com/wp-admin.php
Active Protection takes the fight to cryptojacking

While there were several headline-grabbing ransomware attacks during in 2017, another big threat started appearing at the same time that didn’t get the same coverage – illicit cryptomining.

AleksAuthor Commented:
I don't think that's correct, it is xxxx.com/wp-admin
Its inside that folder but I don't know which page it is.
mankowitzCommented:
The truth is that DDOS attacks are very hard to prevent. It may be worthwhile for you to contact your ISP to see what they are doing about it. There is another plugin which might be useful. https://wordpress.org/plugins/wpantiddos/
AleksAuthor Commented:
I'll check it out. But for now I want to remove the login page. Does anyone knows what is the name of the .php file for the login ?
mankowitzCommented:
There are lots of sources on how to protect thw wp-admin directory.

This overview is from wordpress: http://codex.wordpress.org/Hardening_WordPress

Here is an article about moving (renaming) wp-admin
http://www.michikono.com/2007/02/12/who-else-wants-to-hide-their-wordpress-admin-folder/

The other option is to encase that folder with another password,
AleksAuthor Commented:
Yeah .. I did that, they still found it, so I am simply removing it, the name is:  wp-login.php
AleksAuthor Commented:
its actually  xxx.com/wp-login.php

I moved it to an external folder. If needed Ill put it back to make any changes, we don't change most of the sites so this should help ... crossing fingers.
AleksAuthor Commented:
I checked and it seems like its the revslider where they are trying to hack, not the login page.  :(
All my sites have that plugin.

https://blog.sucuri.net/2014/12/revslider-vulnerability-leads-to-massive-wordpress-soaksoak-compromise.html

I just installed their patch ... sites are still slow .. infected ?  how to clean up ?
mankowitzCommented:
As that page indicates, once you are infected, there can be an arbitrary number of back doors put in. I'm not sure what to tell you at this pooint.
AleksAuthor Commented:
Is there a way to get rid of the backdoors ?  
If I uninstall the plugin will that help ?
btanExec ConsultantCommented:
Since they are random and can be some "bot master" behind controlling bots to doing a wide scan and conduct hardcore brute force attempts, besides trying to throttle the access, I am thinking also to deter them based on below (likely you already done it too.. before the blog is commissioned, have a regime check again

- Disallow any form of directory browsing in your .htaccess in the root directory of your WordPress blog. Including limit access to the Wp-Content Directory. This is also to deter spider and crawlers esp not do not want those to index the admin section (eg. limit crawler traffic using robots.txt, use .htaccess to hard-block)
#block bad bots with a 403
SetEnvIfNoCase User-Agent "facebookexternalhit" bad_bot
SetEnvIfNoCase User-Agent "Twitterbot" bad_bot
SetEnvIfNoCase User-Agent "Baiduspider" bad_bot
SetEnvIfNoCase User-Agent "MetaURI" bad_bot
SetEnvIfNoCase User-Agent "mediawords" bad_bot
SetEnvIfNoCase User-Agent "FlipboardProxy" bad_bot

<Limit GET POST HEAD>
  Order Allow,Deny
  Allow from all
  Deny from env=bad_bot
</Limit>
or add in CAPTCHA to the page of login concern..
- Do your own self checks using wpscan to scan your wordpress blog for vulnerabilities revealing any malicious codes esp in the plug-ins (such as those in the vulnerability db - https://wpvulndb.com/plugins) and those of OWASP top ten low hanging ones. Remote and Local file inclusion (RFI/LFI) are among the most prevalent Web holes being exploited, need to close those up if scan finding reveals...
AleksAuthor Commented:
how can I scan the site ?
btanExec ConsultantCommented:
Either use kali cd which has wpscan tool in its package of arsenal or run sitecheck and the wp scanner which will flag out dated and vulnerable plugin

http://tools.kali.org/web-applications/wpscan
https://sitecheck.sucuri.net
https://hackertarget.com/wordpress-security-scan/
AleksAuthor Commented:
Thx.
William NettmannPHP Web DeveloperCommented:
I would try using Cloudflare - that will protect you pretty effectively. See https://www.cloudflare.com/features-security/

I am a Cloudflare Certified Partner, but derive no benefit from suggesting them to you.
btanExec ConsultantCommented:
They are having Web App FW (as a 'cloud' service) which is prime for such web based attack..there are Akamai and incapsula too but at higher rate..you may consider on premise WAF if DDoS is not a big concern.for your site...

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
AleksAuthor Commented:
Thanks to everyone. I patched the plugins and removed the login pages. So far its looking better.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
WordPress

From novice to tech pro — start learning today.