Hello. I have had one of my sites also being brute force attacked since yesterday morning. I have changed some settings and added some user names to immediately block.
I am now getting this message on my dashboard.
Fatal error: Maximum execution time of 30 seconds exceeded in D:\Hosting\2361941\html\wp-includes\class-wp-http-curl.php on line 313
I searched these boards and saw to change this option to 20.
Maximum execution time for each scan stage
I did that. it looks like the live traffic is now working. The same one that has been attacking for two days now, but I still see the error message.
Is there something else I need to do to stop these attacks?
Thank you.
I too am experiencing this – now have 350 Wordfence Alerts in my inbox in the past 30 mins.
I am using the free version – will going to a paid version help?
I’ve been getting more attacks as well. But they could be worse, my system does help. A big part of my system is the Wordfence country blocking, which indeed you need Premium for. Also, I often add attacked filenames to the “Immediately block” list in Wordfence “Options.” Another thing that really helps is using plugin “WP Hide Login.” Occasionally I add really obnoxious IPs to my IP blocking in .htaccess. Unfortunately I don’t think for us smaller websites there is any affordable way to entirely automate website defense. I could spend a bunch of money on bandwidth and excessive backups so it was less of an issue to reduce bot bandwidth, but spambots that get through defenses would still require hands-on mitigation. Overall, it’s a very bad situation right now. Anyone who pays attention probably realizes we’re all hanging on by our fingernails. Wordfence helps, but it needs to be twice as good — yesterday.
As I’ve mentioned before, the ISPs (including Amazon AWS etc) make tons of money selling bandwidth for the bots to use to attack us. That’s a bad situation… economic incentive for enabling criminals…
MTN
thanks mountainguy2 – I couldn’t believe the number of attempts and alerts I was getting. Pretty obvious if someone is trying to get in when you get that many emails… so it’s clear that they are not really concerned about their IP’s being discovered.
I have also used WP Hide Login on a site previously – needless to say I had to really keep an eye on that site and the plugin did it’s job.
I made some adjustments in the “option” section which has seemed to quite things down for a bit…. could be they’ve moved on to another site….. maybe I spoke to soon… just got another email.
Well thanks for reminding me of WP Hide Login…. might be time I fired that one up!
Personally, I don’t bother with the email alerts. Instead, as part of my daily workflow I spend up to an hour looking at logs, researching IP numbers and tweaking settings. I’ve been trying to reduce that amount of time, it’s gotten better. But like I alluded to above I don’t see the hands-on stopping any time soon for those of us who have intellectual property that’s of value. Nostalgic thinking of the time my website was flat static html with 25 blog posts, those were the days of wine and roses. MTN
well unfortunately… my little website is for a buddy of mine who has a landscaping company. Just a 1 page WP site …. just launched it (but used Wordfence right out of the gate).
I’m surprised the bots have found me faster than Google’s search engine – LOL!
Well I tried hiding the login page…. still getting email alerts… I did use a plugin called Hide My WP Login…. takes a bit more work but at using that plugin allows me to country block IP’s. Might give that one a go…
I can tell you that this bot (or whatever it is) is pretty dam fast switching from one country IP to another…. maybe time to ramp up my other wp sites I’ve done for my friends… and a charity I do work for…. don’t need a headache….but I fear one maybe coming on.
Ha! Great observation about the bots finding it faster than Google! Googlebot is off the back! Sad, actually. In any case, Google makes pennies from most websites, once the owner installs Adsense. Meanwhile, if the bots can find vulnerabilities… there are whole cities in Romania living off criminal hacking… the amounts of money are staggering. Interesting times. Perhaps rather than Wordfence x 2 we need Wordfence x 8 ?
MTN
By the way, I have one long-time client with a small website, perhaps 40 pages, done in static-flat html. I was going to convert him over to WordPress but after how things have developed with WordPress in terms of the endless upgrades, bot attacks and who knows what, we just kept it as static html and he pays me to update. He could have updated the WordPress site content himself, but would have had to pay me to sit there, battle bots, deal with upgrades, and on and on. Interesting. The bots still hit his site of course, but there is nothing there for them, and I’ve got a bunch of country blocking and stuff on the server level just to keep the bogus traffic down.
Honestly, a one-page WordPress site sounds like overkill and a lot of extra work, that is unless you need a plug-play shopping cart or something like that. ‘
MTN
Well he’s a good guy. I didn’t charge him for the work… he’s trying to grow his business and he knows more about landscaping than I, so I try to help him out.
Chose WP because it was fast for me to get him up and running. Initially he wanted to do DIY videos so people learn how to not get fed a bunch of bahhhoooowwwie… you know. Videos etc.
Fact is I’m kinda the same – DIY web… I use to use dreamweaver (I’m aging myself now) and built a few very basic early sites. WP appealed to me because I could spend more time satisfying my creative & content bug. I guess there is something to be said about ‘KISS’
I do like how WP makes it easy for the little guy to play like the big companies…shame that there are peeps that take advantage of small business guys like my friend…
But I can say this has opened my eyes… I turned on my live traffic feed in Wordfence on another site I do for a charity and it’s getting hit as well ….
Spoke with my hosting provider… ‘Oh we have a service for that… it’s $199/mo min 3 months’ …. boys easy now… that’s 15X what I’m paying you to host this problem … see ya I said.
MTN – I do enjoy this conversation – very enlightening…
Hello everyone,
if you do not have a bunch of people who sign in to your WordPress installations do turn on the Wordfence option to “Immediately lock out invalid usernames”. Also, set the time they are locked out fairly high. I would suggest at least 3 days. This should help decrease the attacks at least a bit.
Thanks – I do have this set… and for 60 days.
