After the recent global distributed botnet attack on WordPress installations that took down servers and broke into admin accounts, I thought I’d write a plugin to prevent it happening again.
Distributed botnet attacks can come from multiple IP addresses and locations at the same time, so conventional IP-based lockouts are not effective (e.g. those found in Wordfence and other WordPress security plugins).
For example, if 1,000 different computers (with unique IP addresses) are trying to brute-force your admin password and you lock out each IP address after 5 incorrect attempts then you have still allowed 5,000 attempts. My plugin essentially ignores the different IP addresses and locks out all admin login attempts in a configurable way – so if you have it set to 5 failed attempts (default) then those 1,000 different computers will only have a total between them of 5 attempts.
You can select how many login failures causes the lockout, how much time to allow between failures, how long to block logins for and also you can input a whitelisted IP address (or multiple addresses separated with commas or spaces) which can bypass the lockdown and always log in – so you can still always get into your site even in the middle of an attack. Version 1.1 adds support for partial IP address matching for those with dynamic IP addresses.
I have added the plugin to the WordPress repository for general use – WordPress seems to require a donation link so if you would like to contribute, please click here. Please feel free to leave comments and suggestions.
Download here: botnet-attack-blocker (direct from WordPress)
Thank you for your plugin, I want to try it on my site.
My question is: It’s possible to fix the whitelist IP writing int just the two groups and address following by dot and asterisk?.
Ex: 11.22.*.* 33.44.*.* and so on
You know, the IP wil change anytime when you start the new connection.
Good suggestion, thanks, I hadn’t considered dynamic IPs – I’ll add it to the next release. The plugin was only published this morning, so there will probably be a few feature requests coming. Watch this space! 🙂
Just for the moment and waiting your new release, I keep not active your good plugin, because it’ll be not always operative for the locked administrator.
Let me know if you need the translation in italian language, giving to me your .pot file.
I’ve just updated the plugin with partial IP matching (so just type in 1.2 if you want to match 22.214.171.124 or 126.96.36.199 etc.) and also updated the plugin to be translatable. Thanks for the offer – I’ll email you the pot file 🙂
I sent to you the two files .po and .mo for the italian translation.
I actived your plugin. It’s working fine!.
That’s great – thank you! I’ve updated the plugin with your translation.
I just installed your plugin. I can’t wait to see this in action. I have some large multisites. One of em got brute force attacked last night. I like how the default is on multisite to one login attempt. That’s slick. I have some friends in some big corporations and these hackers hit way more than WP sites.
I haven’t tested it on a multisite installation! Please do let me know asap if there are any issues – thanks 🙂
Pingback: Botnet Attack Blocker for WordPress Protects Sites Against Brute-Force Attacks | CISSP 2 CISSP
This will cause false-positive blocking for those behind NAT and those on time sharing, e.g. ADSL..
I think you may have missed the point of the plugin 🙂 It could only do that if you fail login multiple times and haven’t whitelisted your IP address range.
Pingback: BotNet Blockers, Trip Sharing, Customer Testimonials, Automatic Dummy Images and Anti-Pinterest
Pingback: Selección gourmet de plugins para Wordpress | Agencia de Publicidad y Marketing Online Barcelona | Nexo Creativo |
minor correction to be made in the file botnet-attack-blocker.php
On line 79, the add_options_page function, “bab_show_page” needs to be quoted.
Most PHP installations will assume it is quoted, but may throw an error.
Thanks for the plugin!
Thanks, will make the change 🙂
Hi, thanks for sharing. I’m wondering if it’s OK to copy some of the text in my site?
As long as you link back to the source, that’s fine.
Thank you for the great plugin !!
It looks like the plugin also blocks access to a password protected page on my site during a lockout. One of my customers got this error message trying to access the page:
Warning: strpos() [function.strpos]: Empty needle in /home/mille33/public_html/pressureperfect.us/wp-content/plugins/botnet-attack-blocker/botnet-attack-blocker.php on line 55
Warning: Cannot modify header information – headers already sent by (output started at /home/mille33/public_html/pressureperfect.us/wp-content/plugins/botnet-attack-blocker/botnet-attack-blocker.php:55) in /home/mille33/public_html/pressureperfect.us/wp-login.php on line 396
Warning: Cannot modify header information – headers already sent by (output started at /home/mille33/public_html/pressureperfect.us/wp-content/plugins/botnet-attack-blocker/botnet-attack-blocker.php:55) in /home/mille33/public_html/pressureperfect.us/wp-includes/pluggable.php on line 876
I’ve disabled the plugin and my customers can access the protected page again. I have other plugins to prevent attacks but I like the simplicity of yours better but it might not work for me in this case.
Hi, the new version of the plugin should fix this!
I get MySQL errors whenever this runs. Here’s a sample:
Fri Aug 16 22:56:32 2013] [error] [client 146.x.x.x] WordPress database error Incorrect table name ” for query INSERT INTO “ (`ip_address`,`timestamp`) VALUES (‘146.x.x.x’,1376657792) made by wp_signon, wp_authenticate, do_action(‘wp_login_failed’), call_user_func_array, bab_login_failed, referer: http://xxxx/wp-login.php
[Fri Aug 16 23:04:44 2013] [error] [client 5.xx.xx.xx] WordPress database error You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ‘ORDER BY timestamp DESC’ at line 1 for query SELECT timestamp FROM ORDER BY timestamp DESC made by do_action(‘login_init’), call_user_func_array, bab_login_init
[Fri Aug 16 23:04:45 2013] [error] [client 5.xx.xx.xx] WordPress database error You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ‘ORDER BY timestamp DESC’ at line 1 for query SELECT timestamp FROM ORDER BY timestamp DESC made by do_action(‘login_init’), call_user_func_array, bab_login_init, referer: http://xxxx/wp-login.php
Might be because I’m running a multisite install. Is the plugin tested for multisite?
Thanks for the feedback – I’m afraid it’s still buggy in multisite, this will be totally fixed by the new minor version (coming very soon!), but until then I don’t recommend using it in multisite – sorry about that 🙁
No worries, it happens. If you want me to be a guineapig for the next version, drop me a line. I have a local installation of my multisite system as well as a live one on my own system, so I can test stuff safely and send you logs directly.
Thanks for the awesome plugin – once I get it setup i get the following on the wp-admin page
Warning: strpos() [function.strpos]: Empty needle in /home/sharpf7/public_html/wp-content/plugins/botnet-attack-blocker/botnet-attack-blocker.php on line 70
the system seems to be working – and letting those of us with white listed IP addresses in but wasn’t sure what was causing the line70 error.
Love it. I’d just like to make a feature request: add an option in the admin interface to lift the lock-down.
I’m finding that it’s not catching anything at all. I installed it, and it’s not aware of any of the dozens or more attempts to access /wp-login.php on my site. Is there a way they’ve figured out how to bypass your plugin?
Pingback: How To Protect WordPress Sites From Hackers – New User Guide | Tims IM Blog
Does it work well with multi site. I have observed in my test run that while login into multisite – it gives error of not finding botnet table for network sites.
Thanx for this plug-in. We use it on our site after a lot of attacks on xmlrpc.php. All our redactie members are in the White list of this plug-in. In one day we got more then 80357 attacks. But this plug-in helps us to stop it.
I can not deactivate the plugin. If I choose the button “Report and Deactivate” nothing happens. If I choose “No problem to report” I’m redirected to a 404 page. In both cases the plugin keeps activated. The 404 address is “http://www.noordoogst.org/wp-admin/undefined”
I use a premium theme “Central”
Hope you can help me out.
I found out what coursed the problem. It is not your plugin but it is the “Installer” plugin from OnTheGoSystems Inc. !
Al the deactivating from other plugins where not working. I deactivated the “Installer” and problem was solved.
there are many good plugins for block these types of attackers
informative thanks for share