My Digital Ocean Droplet doing SSH brute-force attacks… need advice

I posted this on another forum and someone suggested I ask here.

I got an email from Digital Ocean saying my droplet is doing brute force attacks via SSH. The droplet is a virtual server (VPS).

I’m really worried this has a) caused trouble for others and b) slowed down my website.

I’m not very technical and I feel lost. I could try to shut down the droplet, but I’m worried about a) not being able to restore from backup and b) not securing it properly and having this happen again.

I’m considering moving to managed hosting. Would a service like Site Engine be able to transfer everything for me?

What should I do? Apologies for my lack of tech knowledge…

Update: Thanks to everyone who helped! Kinsta has moved the site for me, and I’ll switch to managed hosting. The compromised droplet will be shut down.

Yes, it can definitely cause issues for others, and their IP addresses might get flagged for abuse. If you’re just using the server for hosting a website, you should consider switching to shared or dedicated hosting. VPS requires you to manage firewalls and other security settings yourself, whereas with shared or dedicated hosting, someone else handles the server management for you, and you just look after your site.

It does seem like you’ve been hacked, unfortunately. While VPS can offer some flexibility, if you’re not experienced in managing servers, it can quickly become a problem.

The first step is to back up your WordPress site using a plugin like Duplicator. Also, take a snapshot of your server through DigitalOcean. It’s only a few cents per month and will help you keep your data safe if something happens. Then, find a reliable hosting provider. Siteground is one option, but watch out for their renewal rates. Order a plan and ask them to restore your backup.

If possible, I would recommend shutting down the VPS right away to reduce the chance of DigitalOcean banning your account. If that’s not an option, at least block outgoing connections on port 25 using DigitalOcean’s firewall settings.

Sorry to say, but it looks like your server got hacked

You should get a Server Administrator to take a look and clean it up.

For now, block these ports: 21, 22, 23, 25, and 3389 with the firewall tool.

Can you provide more details on how your droplet is set up?

A quick fix would be to block outbound SSH while you work on figuring out what caused the breach.

Have you reached out to DigitalOcean? What did they advise?

If you can, hire someone to secure your VPS. First, block all outgoing requests using the firewall in DO’s dashboard or through iptables on the droplet itself. Since you’re hosting WordPress, you can limit the firewall to only allow traffic on ports 80 and 443 (for HTTP/HTTPS). Once that’s done, start tracking down the source of the attacks and clean it out.