Monday, 7 April 2014
Over the past few weeks our system administrators have detected an unusually high amount of traffic towards WordPress login pages.
We have analyzed the traffic and have come to the conclusion that is part of a global massive bruteforce attack against WordPress sites.
Unlike hacks that focus on vulnerabilities in software, a Brute Force Attack aims at being the simplest kind of method to gain access to a site: it tries usernames and passwords, over and over again, until it gets in. Often deemed 'inelegant', they can be very successful when people use passwords like '123456' and usernames like 'admin.'
They are, in short, an attack on the weakest link in any website's security: You.
Due to the nature of these attacks, you may find your server's memory goes through the roof, causing performance problems. This is because the number of http requests (that is the number of times someone visits your site) is so high that servers run out of memory.
This sort of attack is not endemic to WordPress, it happens with every webapp out there, but WordPress is popular and thus a frequent target.
As such we would like to offer you few very simple tricks to protect your wordpress site:
Limit Access to wp-admin by IP
If you are the only person who needs to login to your Admin area and you have a fixed IP address, you can deny wp-admin access to everyone but yourself via an .htaccess file.
Create a file in a plain text editor called .htaccess or simply edit the existing one (if any) and add:
# Block access to wp-admin.
allow from x.x.x.x
deny from all
Where x.x.x.x is your IP address. You can add multiple IP addresses by adding the line: allow from x.x.x.x as many times as IPs you wish to whitelist.
Password Protect /wp-admin folder
You can easily password preotect your /wp-admin folder via your hosting control panel: Advanced -> Password Protection
1. Select your host i.e. the website where wordpress is installed.
2. Browse the path to the /wp-admin folder and select it.
3. Enter the username and password you want to use and hit PPA.
Update your robots.txt file
Add the following lines in your robots.txt file or create a file named robots.txt with the following content:
This will essentially block the indexing of those folders in the search engines as the brute force attackers generate lists of such URLS ( intitle: Log In and inurl: wp-login) with the help of the major search engines. This method is more of a long-term prevention as it will take few months for the search engines to update this information but it should resolve any bruteforce attempts for good.
Our partners at TweakDorks also have an affordable WordPress security hardening service here.
Recently, there has been a trend towards a more secure, SSL-protected online environment initiated by authorities like Google when they ...
You can download the app free of charge from Google Play or Apple App Store. The app has recently been updated as Tapatalk celebrates its...
We tested a bunch of FTP clients for iOS devices and found these to be the best. Most of them cost between $1 to $5 but we found the small p...
We have secured great discounts on domains for the rest of month. Mar ch Domains Discounts Enjoy unbelievable discounts on your p...
With Thexyz Webmail you have the choice of using your own domain or one of our domains. Using your own domain offers more features and ben...
- ► 2016 (23)
- ► 2015 (34)
- Setting up an ActiveSync email account with BlackB...
- Setup Outlook 2013 With MobileSync
- Questions and Answers On Heartbleed
- How To Create A Secure Password
- Heartbleed Issue Prompts SSL Update
- Brute Force Attacks On WordPress Users
- Improving a website's speed: A Q&A with our web de...
- Thexyz Goes Open Source With OwnCloud
- ▼ April 2014 (8)
- ► 2013 (41)
- ► 2012 (43)
- ► 2011 (69)
- ► 2010 (52)
- ► 2009 (11)