Hi everyone.
I manage a site with multiple subdomains (with the multi-site network funcitonality on WP), and unfortunately suffered a Brute Force attack for a couple of days.
I was initially getting an HTTP 503 error when trying to access my site, and then noticed through the Succuri Security plugin that dozens of login attempts from random IP addresses were being carried out.
The number of login attemps was not in the thousands, but was 300+ for some days, and the IP’s varied from countries like China to Turkey, to other Luxembourg.
​
**Long story short**
After carrying out some measures throughout a couple of days, the site is now back up. But all images from the last three months are missing.
My initial suspsicion was that someone logged in and deleted them, but Succuri registers successful login attempts, so in theory I should be able to see if someone suspicious successfully logged in (and I don’t).
​
Any idea what might have happened?
​
​
Thanks in advance!
[ad_2]
Change your login url with the plugin WP-admin. Change it to something crazy like a long encrypted password.
​
Can you restore a backup?
It would be highly unusual for files to be deleted. Setup CloudFlare and block any problem countries. And it sounds like Sucuri wasn’t doing its job or it wasn’t configured properly. Personally I use Wordfence and set the “incorrect password attempt block” to 4, and instant block of any incorrect username attempts. Block duration is 2 months.
Have you checked the file system for the files?
Where are you seeing that the files are missing? Frontend? Backend? Are you seeing a 404 error in the console?
My site gets thousands of login attempts a day… unless they got into your site there is no way they deleted any files.
Is it possible that your web host restored a file backup that wiped out the uploads? Any content changes missing as well?
Unless they were successful, I can’t see how a brute force attack could delete images from the media library.
Unless you are using Sucuri’s paid service, I’d switch to Wordfence. You can set it up to display a Google CAPTCHA on the login form to help limit login attempts and also set up 2FA. It also has its own firewall to help block malicious attacks and has additional features for preventing brute force attacks.