Anyone who has scrolled through website logs know that all kind of odd things are being thrown at servers on the Internetz daily. So, it was not a particularly surprising thing that I noticed a distinct uptick in WordPress login attempts on my self-hosted blog a few weeks back.
(I am, perhaps naively, assuming I didn’t black out, fly to Romania, Turkey, the Phillipines, and Guam and try to login from each location.)
Usually when I see these fun activities I look around the Googles and see if some new vulnerability has reared its head or just if others are reporting similar things in their logs. Until today, I have not really seen any others talking about an increase WordPress login attempts so I just kept any eye on things and let the cat roam the server room.
I still don’t see any chatter out in the world at large, but this morning I received a message from one of the hosting companies I deal with:
In an ongoing effort to make you aware of security and performance
concerns, we wanted to inform you of an ongoing event.
There is a brute-force login attack targeted at websites with
WordPress. Due to the nature of the attack, memory consumption on
targeted servers has increased. …
Good to see the hosting company being proactive and notifying – but still not a terrifically big whoop if you’ve taken some precautions with your self-hosted WordPress blog. If you use WordPress.com’s service, you might want to read this article on their 2-factor authentication feature.
For you self-hosted people, here are 3 WordPress plugins you might want to add to your arsenal, plus a more technical method of limiting who can get to your admin page:
Google Authenticator for WordPress “gives you multifactor authentication using the Google Authenticator app… The multifactor authentication requirement can be enabled on a per user basis, You could enable it for your administrator account, but login as usual with less privileged accounts.”
In short: To login, in addition to your user password you will need to enter a temporary passcode supplied an app on your phone. Neat, sweet, and simple.
“By default WordPress allows unlimited login attempts either through the login page or by sending special cookies. This allows passwords (or hashes) to be brute-force cracked with relative ease.
Limit Login Attempts blocks an Internet address from making further attempts after a specified limit on retries is reached, making a brute-force attack difficult or impossible.”
ecSTATic WordPress Plugin “facilitates tracking visitors, monitoring the multitudes of bots and spiders, and helps block annoying comment and trackback spammers.” This plugin is a nice in-WordPress way of seeing who is visiting what and blocking by IP quickly and easily for non-technical folks.
Finally, for those on hosting plans (or rolling your own server) and are not afraid of editing a file or three, there is a very good way to limit your exposure on various pages of your site: .htaccess rules.
.htaccess files can be used in various ways that are beyond the scope of this post. However, you can find a nice simple Tutorial here. In the context of this post, I use an .htaccess file in my WordPress admin folder to specify which IP addresses can even access my admin pages. A good set of instructions can be found in the article Protect Your Admin folder in WordPress by Limiting Access in .htaccess.
The short version, assuming you have access to graphical tools on your web hosting provider:
1. Determine the IP Addresses of the places you’ll most likely access your WordPress admin pages from. Home, work, mobile, all the Paneras with free Wifi in your town. (NO. no. That last one was a joke. Do not.) I like to use utrace to look up IP addresses. I also like birds.
2. Login to your Cpanel (or other) admin page on your hosting provider. (Not the same as your WordPress admin. If you have no idea what I’m talking about, this last tip is not for you. Sorry.)
2. Using the Cpanel File Manager go to your WordPress install’s wp-admin folder. Edit .htaccess (or add one if it doesn’t exist) to include something like this:
order deny,allow deny from all # whitelist Home IP address for WordPress Admin Page allow from xx.xx.xx.xxx # whitelist Work IP address for WordPress Admin Page allow from xx.xx.xx.xxx
For more detail on .htaccess syntax, see the linked tutorial above.
The “deny all” line denies access to admin pages by default. So, unless an IP address is specifically allowed using an “allow from…” line, they can’t even see those pages. Once you’ve done this, you’ll have cut all the pesky anklebiters off from having an easier chance of gaining admin access. Unless the anklebiter lives in your house, then you’ve got other issues to deal with.
If you go on vacation – just look up the IP address of the place you are in and add that to the .htaccess temporarily if you need to.
Always remember to use secure connections, folks. and to pack an extra pair of socks.