@pingram3541
@Mark
Thanks for adding input to this thread. It feels like an AA meeting for website security lol.
Here are some trends and info I've noticed in the past few weeks of testing:
- every single day, my one server with 4 WP sites, gets a dozen different BFA's (brute force attacks) and only once so far has been a Botnet Attack of a low 150hits.
- since using Wordfence to track attempts and stop them...almost every attack quit within 2-50 attempts with a single IP attack, but, sometimes it ran as high as 150-200 attempts before the bot gave up. (stupid bots)
- 2 days ago I endured 2 BFA,s with 3,500 and 15,000 stubborn hits each. (especially stubborn relentless stupid bots)
- during these attacks, Wordfence and WP Statistics were tracking every hit as well as my raw access logs of course. My shared server package states that 2% cpu is what I am allowed. Sure, I will get spikes and occasional sustained high cpu, especially when I am doing a ton of site maintenance in the temporary cpu range of 3-6%, but during that last high volume attack, Cpu was hovering between 18-20% for a long period of time.
- In an attempt to relieve the pressure and weed out all possibilities, I disabled WP Heartbeat, disabled WP Stats and eventually, whitelisted my IP for wp-login access via htaccess. AS soon as I did the htaccess part, CPU load averages slowly started to fall back down. At that point, WF stopped tracking the hits because of course, they were stopped at the server level, so I knew htaccess was working.
- unfortunately, I have no scientific way of accurately measuring real time CPU usage on the server except the cpu% average that shows up in cPanel and gets updated every 5min.
I am interested to test out any new WF feature that might allow me to use WF as the first line of defense rather than the htaccess whitelist. I really appreciate the WF stats report and it saves so much time when reviewing and analyzing activity.
@pingram3541
Yes, how can a single IP be allowed to knock on my door 15,000 times in 13 hours without any resistance or repercussion. And to permanently blacklist IPs is not a well rounded solution since the IP may be dynamic, or part of an infected innocent user's PC or server.
@Mark...just thinking of ideas here...
I know WF was not directly responsible for the super high cpu% during the BFA's, but if it contributed due to the processing of hack attempts (which I haven't proved but it seemed this way) ...then the feature I would like to see is maybe a combination of WF and htaccess. Perhaps, if a certain amount of hits to sensitive URL's is tracked from a single IP origin, then WF triggers the IP to be blacklisted in htaccess for 30days etc. This would be the best of both worlds assuming.
So for example...3 failed login attempts triggers the banned URL thus the offending IP gets served the usual 503 for x-amount of days. But then, if another consecutive 50 attacks is tracked from this same banned IP, then implement an IP block via htaccess. Now the processing overhead for this IP has been reduced to a minimum. So it's a 2 stage defense depending on the severity or longevity of the attack.
What about a Botnet attack of say 500 consecutive unique IPs in a short time frame? Perhaps this triggers a temporary lockdown...BLOCK ALL IPs from wp-login with a instant notification to the webmaster who can then monitor the attack and make a decision as to how to proceed.
Just throwing you ideas Mark...and I am definitely not a security expert but a am good at troubleshooting and idea invention.
