Anyone who has scrolled through website logs know that all kind of odd things are being thrown at servers on the Internetz daily. So, it was not a particularly surprising thing that I noticed a distinct uptick in WordPress login attempts on my self-hosted blog a few weeks back.

(I am, perhaps naively, assuming I didn’t black out, fly to Romania, Turkey, the Phillipines, and Guam and try to login from each location.)

Usually when I see these fun activities I look around the Googles and see if some new vulnerability has reared its head or just if others are reporting similar things in their logs. Until today, I have not really seen any others talking about an increase WordPress login attempts so I just kept any eye on things and let the cat roam the server room.

I still don’t see any chatter out in the world at large, but this morning I received a message from one of the hosting companies I deal with:

In an ongoing effort to make you aware of security and performance
concerns, we wanted to inform you of an ongoing event.

There is a brute-force login attack targeted at websites with
WordPress. Due to the nature of the attack, memory consumption on
targeted servers has increased. …

Good to see the hosting company being proactive and notifying – but still not a terrifically big whoop if you’ve taken some precautions with your self-hosted WordPress blog. If you use WordPress.com’s service, you might want to read this article on their 2-factor authentication feature.

For you self-hosted people, here are 3 WordPress plugins you might want to add to your arsenal, plus a more technical method of limiting who can get to your admin page:

Google Authenticator for WordPressGoogle Authenticator for WordPress “gives you multifactor authentication using the Google Authenticator app… The multifactor authentication requirement can be enabled on a per user basis, You could enable it for your administrator account, but login as usual with less privileged accounts.”

In short: To login, in addition to your user password you will need to enter a temporary passcode supplied an app on your phone. Neat, sweet, and simple.

Limit Login Attempts PluginLimit Login Attempts

“By default WordPress allows unlimited login attempts either through the login page or by sending special cookies. This allows passwords (or hashes) to be brute-force cracked with relative ease.

Limit Login Attempts blocks an Internet address from making further attempts after a specified limit on retries is reached, making a brute-force attack difficult or impossible.”

Ecstatic WordPress PluginecSTATic WordPress Plugin “facilitates tracking visitors, monitoring the multitudes of bots and spiders, and helps block annoying comment and trackback spammers.” This plugin is a nice in-WordPress way of seeing who is visiting what and blocking by IP quickly and easily for non-technical folks.

Finally, for those on hosting plans (or rolling your own server) and are not afraid of editing a file or three, there is a very good way to limit your exposure on various pages of your site: .htaccess rules.

.htaccess files can be used in various ways that are beyond the scope of this post. However, you can find a nice simple Tutorial here. In the context of this post, I use an .htaccess file in my WordPress admin folder to specify which IP addresses can even access my admin pages. A good set of instructions can be found in the article Protect Your Admin folder in WordPress by Limiting Access in .htaccess.

The short version, assuming you have access to graphical tools on your web hosting provider:

1. Determine the IP Addresses of the places you’ll most likely access your WordPress admin pages from. Home, work, mobile, all the Paneras with free Wifi in your town. (NO. no. That last one was a joke. Do not.) I like to use utrace to look up IP addresses. I also like birds.

2. Login to your Cpanel (or other) admin page on your hosting provider. (Not the same as your WordPress admin. If you have no idea what I’m talking about, this last tip is not for you. Sorry.)

2. Using the Cpanel File Manager go to your WordPress install’s wp-admin folder. Edit .htaccess (or add one if it doesn’t exist) to include something like this:

order deny,allow
deny from all
# whitelist Home IP address for WordPress Admin Page
allow from xx.xx.xx.xxx
# whitelist Work IP address for WordPress Admin Page
allow from xx.xx.xx.xxx

For more detail on .htaccess syntax, see the linked tutorial above.

The “deny all” line denies access to admin pages by default. So, unless an IP address is specifically allowed using an “allow from…” line,  they can’t even see those pages. Once you’ve done this, you’ll have cut all the pesky anklebiters off from having an easier chance of gaining admin access. Unless the anklebiter lives in your house, then you’ve got other issues to deal with.

If you go on vacation – just look up the IP address of the place you are in and add that to the .htaccess temporarily if you need to.

Always remember to use secure connections, folks. and to pack an extra pair of socks.


  • avatar

    Comment by John — April 10, 2013 @ 1:33 pm

    Commenting on my own post BECAUSE I CAN. Afterthought: I did not mention this, but assume everyone with a self-hosted WordPress site uses Akismet for spam handling. Does a wonderful job.

    I find the ecStatic plugin a nice additional tool for the statistics and ip address blacklisting – but Akismet does the heavy lifting for spam blocking.

    By the way, right as I hit publish on this blog post the WordPress login attempt chatter exploded. Not sure if it was going on the whole time I noticed it (a few weeks at least) and the mediasphere just got wind of it, or I saw some precursor of the current brute force attacks. In any case: use them login plugins to limit and strengthen access!

  • avatar

    Comment by Mike Soja — April 29, 2013 @ 11:35 am

    Hey, thanks for the unsolicited (ecSTATic) plug, which I just noticed because someone must have clicked the link. I think that’s a first for me. Real fame. Thanks.

    And, yeah, attempted Logins are through the roof on some of the blogs I watch. The great thing I’ve noticed is that 99% of them are using the same User Agent: “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)”, which is very easy to block, either with my plugin, or by other means. I block all IE 5.x and IE 6.x anyway as the civilized world has largely upgraded and those old versions really are almost all ne’erdowells, so I didn’t have to do much on this round of annoyances. I also block on the “SV1” string, which I believe used to mean “McAfee AntiVirus Safe Internet Browsing Browser” or something, but which people objected to for reasons that I’ve forgotten, and was withdrawn (I believe), but is now flown by the aforementioned spammers/hacktivists as a small token of some ostensible legitimacy.

    My plugin also monitors login attempts, and will block users after X number of fails. It will also catch large series of very fast hits and block those after a certain number.

    Again, thanks for the plug. I just may have to grab a screenshot. 😉

    Nice looking site. That background looks exactly like the floor in this room.

  • avatar

    Comment by John — April 29, 2013 @ 11:44 am

    Hey Mike, you’re welcome!

    My thanks to you for the plugin. I’m liking the new Google charts you’ve added. I have to play around with that chart API a bit one of these days.

  • avatar

    Comment by Mike Soja — April 29, 2013 @ 5:56 pm

    Glad you like the plugin, John, and the new charts. I’m working on new ones, and keep rewriting the functions as I learn new parts of what the chart API does. Learned quite a bit the last few days. I played around with their Map API a few years ago, and that helped the learning curve with the charts, but Google now has what they call the “playground”, where one can edit chart code online and run it in a window for immediate feedback, which is a big help. And at least one of the guys moderating the chart forum is a real whiz at helping people. I don’t think I’ve ever seen such an able expert working like that before. He even answered a question I had this last Saturday night.

    Looking around your site has me regretting not knowing more about my ancestors. The Soja half of my family came from Poland sometime in the early part of last century and settled in Chicago, where my dad was born, but he sort of didn’t want anything to do with them after he left home, and so we had very little contact, and if Pops knew anything about our lineage he never shared it. I never even met his bother and sister. And now, all are gone.

    The other half were of German extraction, though I don’t know much there either, other than my grandfather was born in a sod hut in North Dakota in 1905 or so. He eventually moved to California, where he eventually met my grandmother, whose family probably started in CA in the mid-1800s. Reportedly, my grandmother was just an infant when her father took the horse and buggy north from Los Angeles to see if he could help in the aftermath of the ‘Frisco earthquake. And then there’s that not-to-be-spoken-aloud thing. Was my grandmother Jewish? She may have been, but covered up that past so as to not negatively affect my grandfather’s career? Can you imagine? Supposedly, my father was informed of the fact on the day before he wed my mother, possibly in the hopes that he would, I don’t know, run away. He didn’t, but there was a family tension there for years. Grandma’s last name was Strauss, if that means anything. We grandkids think it’s rather funny, but we do wish we knew more.

    Anyway, I’m rambling. Thanks again for the link.

  • avatar

    Pingback by Linky Linky — Kayak2U Blog — April 30, 2013 @ 3:22 am

    […] John Tierney, who I think is the first ever to post a review (and positive, at that) of my very own WordPress plugin (ecSTATic) which I've been working […]

  • avatar

    Comment by John — April 30, 2013 @ 11:42 am


    I started reading through some Google Maps API and Hacks books a couple of years ago, planning to try mapping out Tierneys in city directories and looking for patterns. I think the theory-focus of the books kept me from getting too far, so having a playground to hack away at will probably get me farther. I’m usually better at build it, break it, fix it. I need to get back on that project.

    Sounds like you have a decent amount of family info to jump start your own research! Those kinds of family stories are great – often need to be taken with a grain of salt in terms of when it comes to them being completely accurate for research, but they do often have at least grains of truth that can get you somewhere.

    I have not done any Polish research but I see there are some Polish records out on Familysearch. I’ve only lightly touched on my wife’s German side – have a long way to go there. (Having enough trouble working my family’s Czech records in that language.)

    Familysearch is a great place to get started, and it is free! Local libraries also often offer access to Ancestry’s Library Edition, so that’s another way to get started without spending money first.

    But, before Poland you’ll probably want to work your way back to your family in Chicago and CA and find as many records there as you can. That’s the best chance you’ll have of finding town names back where they came from. (Especially when you are looking for people who came over pre-Ellis Island.)

    We had some of the same family issues, as many people do I’d guess. We grew up not knowing my Dad’s half siblings, but happily I’ve been able to reconnect with cousins descended from them over the last few years.

    Be warned: if you have the inclination, genealogy (and the history connected to it) will pull you in. 😉

    Let me know if I can offer any pointers if you get into it! You can always reach me directly using the email “john” @ my domain.

  • avatar

    Comment by Mike Soja — May 1, 2013 @ 10:44 pm

    Hi, John,

    I don’t know how the Google Map API sits now; it’s been more than five years since I had a look. But there are so many people working on it… if you look around you might find a site that will let you build and save maps just by clicking where you want a marker to be with relevant info attached, etc. Or even for WordPress, there are Google Maps v3 Shortcode and MapPress Easy Google Maps (both of which I’ve used, but can’t speak to suitability for you), and many others.

    Thanks for the link to the Poland related site. I’ll have a look at it. My sister has been to Poland, but I don’t recall if she chatted up any of the family that might be there.

    I wonder, family wise, about things like how successful kin in other places are. The immediate family counts itself as doing pretty well (knock on wood) in the great melee, so do other Sojas consider their lot in like regards?

    Of course, each of our families is still here, after millennia, so we’re all a cut above, right?

  • avatar

    Comment by Mike Soja — May 1, 2013 @ 11:03 pm

    Well, I just found my grandfather.

    There’s my grandmother, my dad’s brother, and his sister, but no my dad. Hmmm.

    I think I’m hooked already.

  • avatar

    Comment by Mike Soja — May 1, 2013 @ 11:08 pm

    Of course my dad’s not there, he wasn’t born until late 1930.

  • avatar

    Comment by Mike Soja — May 1, 2013 @ 11:21 pm

    One more: My wife just freaked because she found our her dad’s name was John Thomas, when he always said it was Thomas and that he didn’t have a middle name. And a sibling back there no one has ever mentioned.

  • avatar

    Comment by John — May 2, 2013 @ 11:06 am

    Ha! You’re done. Might as well get a genealogy tattoo now. 😉

    One thing people need to go into family research knowing is: the unexpected will appear, so be ready for it! Names could be pretty fluid back in the day. My great uncle shows up with all sorts of combinations of his first and middle names. Threw us for a loop for a long time since he had no kids, never married and died young and we had almost no knowledge of him.

    Were you able to download the 1930 census for your grandfather and family? I put a copy of it and the 1920 census on Box.com if you don’t have it:

    Casper is in Indiana in 1940 census, divorced with kids Romuald M and Lydia:

    Anna Soja and son Roger are in Chicago in 1940:

    In their 1920 census – looks like the enumerator made an error and wrote down “Na” for naturalized for Casper, then wrote “Al” above the 1910 for Alien. These kinds of things happen on censuses.

    That census says he came over to the US in 1913, but nothing obvious with his name at Ellis Island (if he came through there.) Polish names could easily be simplified once in the US, so you might have to use the original Polish spelling or think of crazy variations to find him in case there are transcription errors or was written down differently on the European side of the emigration.

    Excellent tools to be found for this at Stevemorse.org.
    For example, below is a search using his Ellis Island Gold Form to search for all names that sound like “Soja” for someone born between 1895-1897 and came over between 1912-1914:

    (You’ll see it links to jewishgen.org – that group, the Italian and Genealogy groups all work together on various tools, so you don’t need to be one of those nationalities for their sites to be useful.)

    You can try the Bremen side emigration records on this site (in german):

    Bunch of records pop up using the simple search of his name on Familysearch – cool for you! http://ow.ly/kDNmM

    Naturalization index record for a Kasper Soja matches the street name of Giddings Street in the 1940 census for Anna and Roger:

    Doesn’t look like the full naturalization documents are online, but you can order them from the Cook Circuit Court:

    OK, you got me started and I need to stop. Let me know if you find anything interesting!

  • avatar

    Comment by John — July 19, 2013 @ 12:05 pm

    Locking this post down for comments as the sp#mmers have taken too much of a liking to it – will open up again later if the scripts give up on it.

RSS feed for comments on this post.

Sorry, the comment form is closed at this time.