[ad_1]
[ad_2]
My WordPress website is suffering from brute-force attacks via SSH on its digital ocean droplet virtual VPS.
This may have happened after installing Clarity. No issues before.
I am non technical and way out of my depth. Worried digital ocean will shut the droplet down and I will lose my website. Also worried about the impact of brute force attacks on other users.
I tried adding Cloudlfare but this completely slows down the website.
Would moving to a managed hosting provider stop the attack? Any suggestions?
Edit: To clarify, the email from Digital Pacific says "your Droplet is performing brute-force attacks via SSH"
Once a server goes live those attacks are common. Changing the default SSH port will stop or reduce the attacks.
You’re running fail2ban right?
CloudFlare won’t help and Clarity has nothing to do with your issue.
SSH listens on port 22 and is separate from your website which is available on port 443 (ssl)
Simple solution – implement IP firewall for SSH in DO for port 22 and only allow your IP and that will stop brute force against SSH immediately.
Install and configure SSH keys. Disable password login to SSH.
Disable root login.
Cloudflare won’t slow down your site you probably might have wrong settings.
Anyways you need to setup a firewall rule either at DigitalOcean or Cloudflare
https://developer.wordpress.org/advanced-administration/security/brute-force/
Might need to first identify if they are brute force login attacks to WordPress (where an attacker tries to login to WordPress) or SSH brute login attacks (where an attacker tries to login to the server, unrelated to WordPress). As you mentioned both of these together.
Were you seeing the login attempts in a WordPress security plugin?
Defense in depth: setup a firewall at DO that only allows SSH access to your IP address. Then install fail2ban on your server, as well as UFH (Ubuntu Firewall). Then install Wordfence in WordPress and configure.
Better to ask this in a server security or a cloud/VPS hosting subreddit.
But on top of the above recommendations:
– change the SSH port
– restrict access to the port to the IP you use
– disable root login
– disable password login
– use keys
U could go even deeper and restrict users to certain areas in case someone bypasses all the above…
DO has good docs on each of the steps above
It sounds like your droplet has been compromised if you are the ones performing the attacks. You may need to backup your site and then delete the droplet. Please don’t delete anything without first testing your backups.