Brute Force Attack and Defender - now what?

I am hosting with Godaddy in a shared Cpanel account with 'level 3' resources. I host a WP multisite with about 12 blogs and in addition 4 WP single sites. Since about 4 weeks I noticed much increased I/O usage which lead to frequent downtime (faults) of my site. I had installed Defender and enabled both IP lockouts and 404 Detection, both locking out IPs for 3600 seconds after only 2 attempts and permanently banning all IPs.

While Defender sends me email notifications about such lockouts - now one email every 5 minutes or so - using Defender had not reduced or 'rectified' these attacks. Only after I deactivated several of my blogs in the multisite, did the attacks subside (see attached screenshot of the resource graph before and after). This went well for a few hours but since there was another wave of attacks, again resulting in faults, for about 10 minutes or so. Currently, all seems 'quiet' but only because most blogs are still deactivated.

I now have 3 questions:
1. What, if anything, does Defender do to 'fight' such attacks? Receiving emails about them is fine, but they will not 'fight' or rectify these attacks. So, what's next?
2. My list of banned IPs is of course growing all the time; but will this eventually lead to a 'drying up' of the attacks or can I expect that these will continue for ever (or a very long time at least)? Will the attacking IPs eventually dry up?
3. I am also confused regarding the 'banning' of IPs: the email that Defender sends only talks about a ban for 3600 seconds, but it does not mention whether that same IP has actually been permanently banned.

So, in other words, what is the actual 'net' benefit of having installed Defender; it doesn't seem to prevent any attacks - or does it?

I have granted you support access - just in case you wanted to check my setup.

Thanks in advance for your assistance.

  • Kasia Swiderska

    Hello Chris,

    1. What, if anything, does Defender do to 'fight' such attacks? Receiving emails about them is fine, but they will not 'fight' or rectify these attacks. So, what's next?

    Sending emails informs you that there is "wave" of bots checking your site for vulnerabilities. What Defender is doing is banning those IPs so they can't use the same machines all the times to attack your site.

    2. My list of banned IPs is of course growing all the time; but will this eventually lead to a 'drying up' of the attacks or can I expect that these will continue for ever (or a very long time at least)? Will the attacking IPs eventually dry up?

    They usually do. From my sites I can see that it is around 1-2 days wave and there is silence for days or weeks.

    3. I am also confused regarding the 'banning' of IPs: the email that Defender sends only talks about a ban for 3600 seconds, but it does not mention whether that same IP has actually been permanently banned.

    If you setup that ban is permanent then is should show it, like that:

    That is from permanent block on my site.
    Are you sure you checked "Permanently ban login lockouts." under "Lockout time" (I'm asking because support access is not working for your site, there is "ERROR: Sorry, there was an error. Please be sure JavaScript and Cookies are enabled in your browser and try again." ?

    From my experience - I have very unpopular site and at first it was under long bot attack and I was getting so many emails about that I had to turn them off. Then I enabled permanent ban and last week it is 8 lockouts. When it started it was reporting dozens of those everyday. I'm monitoring this but it seems like its looking better with those permanent bans.

    Defender doesn't prevent attacks - it helps to handle them so they don't really harm your site. But if those attacks are really really hard on your site then you might want to consider banning IP on different level, like this one https://www.fail2ban.org/wiki/index.php/Main_Page (if this is possible on your server).
    Because not everyone can use specialized software to protect their sites - like on shared hosting Defender is tool for them so those attacks don't get worse and worse.

    kind regards,
    Kasia

  • Chris

    Just to add that, after 3 days of applying very strict blocking rules (block 2 attempts in 300 seconds, block for 3600 seconds and automatically permanently ban IPs) for both login and 404, my site has now returned back to normal, with only, it seems, a few more sporadic attacks. Seems the hackers have realised that there is no way in... I have attached the resource stats for my server over the last 7 days which clearly show the decreased I/O activity which also correlates with less CPU and memory usage.
    However, the litmus test comes when I, one by one, will re-activate the remainder of my blogs. I hope it'll stand the test...
    Thanks again Kasia for your insights which restored some 'piece of mind' and hope...
    I will now take the abilities of Defender more seriously and set it up on all my other websites in a similar way as I realise that it is a powerful tool to prevent abuse of my server and downtime to my websites.