Many of you have heard about the recent attacks on WordPress sites. As Sucuri Security has documented, many hosts are experiencing a dramatic increase in brute force attacks on their WordPress customers.
In many regards, being prepared for attacks like this is part of the responsibility that any WordPress hosting takes on in the day to day running of a business. And WP Engine has gone to great lengths to ensure that we are prepared for just such situations as this one. These attacks have been well-documented and intentional. Whoever is behind the attacks is doing a good job, and they’ve gotten attention as a result.
There are a number of bad IP addresses that are currently involved in the attacks (although these may not represent all locations the attacks are originating). One of our WordPress experts has folded Sucuri’s list of the addresses into an .htaccess file that you can run on your own self-hosted account, and that we want to make as widely available as possible. Naturally, WP Engine takes care of this sort of thing so our clients don’t need to upload the .htaccess file.
At this time, WP Engine customers continue to be well-protected. We’re keeping a vigilant eye on the behavior and attack patterns, and will provide updates if things do change. It’s important to always respect a coordinated effort like this. However, at the present moment, our security measures are responding as intended to the attacks and protecting your sites.
Thanks for choosing WP Engine!
Great to hear!!
Yes, notes on on this posted here as well, http://goo.gl/i0ahb
Another reason to love you guys. Like anything else in life, if you want more, you have to pay more.
I haven’t noticed any slowdown with my site on WPE… you guys are on top of this ish.
Thanks!!
I put together a version that works the same way for Nginx, in case there are any fans in the audience…
https://gist.github.com/bastosmichael/5376293
Awesome. Love not having to worry about this on a Friday. Thanks WPEngine!
And this is exactly why I moved to wpengine. I was a victim of such attacks this week. My old host did their best at mitigating the issue and I commend them. But they were not prepared. Nor do they provide backups or restore points if your site is trashed.
Great job guys! When I read about the attack being so calculated I knew that having a host that was as equally prepared to handle such attacks is a huge plus. Thanks for keeping us informed, too!
We are considering adding a two-factor authentication mechanism (Duo Security) to our site.
Would this be a hassle for the WPEngine team? Do you recommend 2FA for some sites? Thanks.
My site is currently hosted elsewhere and was hit by this attack over a week ago. When I think of how this impacts business, I would much rather be paying $30 a month and still have my site up and running, versus $7 a month and have it non-functional for a week and counting. I can’t even uninstall WordPress because they’ve taken away the ability to access the site. If there is a way to migrate my domain name over to WP Engine, I’m hoping to do so. Then at least I can start over and reload my site from clean copies of my files.
Should we use the Login Lockdown plugin?
Are there any other security plugins that you WPEngine folks recommend?
Thanks, Rich Bohn