Monday, 7 April 2014

Over the past few weeks our system administrators have detected an unusually high amount of traffic towards WordPress login pages.

We have analyzed the traffic and have come to the conclusion that is part of a global massive bruteforce attack against WordPress sites.

Unlike hacks that focus on vulnerabilities in software, a Brute Force Attack aims at being the simplest kind of method to gain access to a site: it tries usernames and passwords, over and over again, until it gets in. Often deemed 'inelegant', they can be very successful when people use passwords like '123456' and usernames like 'admin.'

They are, in short, an attack on the weakest link in any website's security: You.

Due to the nature of these attacks, you may find your server's memory goes through the roof, causing performance problems. This is because the number of http requests (that is the number of times someone visits your site) is so high that servers run out of memory.

This sort of attack is not endemic to WordPress, it happens with every webapp out there, but WordPress is popular and thus a frequent target.

As such we would like to offer you few very simple tricks to protect your wordpress site:

Limit Access to wp-admin by IP

If you are the only person who needs to login to your Admin area and you have a fixed IP address, you can deny wp-admin access to everyone but yourself via an .htaccess file.

Create a file in a plain text editor called .htaccess or simply edit the existing one (if any) and add:

# Block access to wp-admin.
order deny,allow
allow from x.x.x.x
deny from all

Where x.x.x.x is your IP address. You can add multiple IP addresses by adding the line: allow from x.x.x.x as many times as IPs you wish to whitelist.

Password Protect /wp-admin folder

You can easily password preotect your /wp-admin folder via your hosting control panel: Advanced -> Password Protection
1. Select your host i.e. the website where wordpress is installed.
2. Browse the path to the /wp-admin folder and select it.
3. Enter the username and password you want to use and hit PPA.

Update your robots.txt file

Add the following lines in your robots.txt file or create a file named robots.txt with the following content:

User-agent: *
Disallow: /wp-admin
Disallow: /wp-login.php
Disallow: /administrator

This will essentially block the indexing of those folders in the search engines as the brute force attackers generate lists of such URLS ( intitle: Log In and inurl: wp-login) with the help of the major search engines. This method is more of a long-term prevention as it will take few months for the search engines to update this information but it should resolve any bruteforce attempts for good.

Our partners at TweakDorks also have an affordable WordPress security hardening service here.


Post a Comment

Trending Posts

Blog Archive


News (65) Web Hosting (48) security (25) Email (19) webmail (19) Advertising (15) Thexyz Cloud (14) Tutorials (13) Video (4) resellers (2)