WordPress at Risk from New Automatic, Distributed Attack – A Few Tactics for Prevention
The web’s been a bit of a buzz today regarding a report from the Internet Storm Center which detailed a new method of attack on WordPress sites. Whilst this is a new take on an old trick, a simple brute force attack (where multiple passwords are attempted until one works), the delivery mechanism is causing people to sit up and take notice. This new attack allows the perpetrators to attack multiple sites simultaneously and intelligently.
The attack script appears to connect to a database which stores passwords that have been successfully discovered using the tool. This, over time, will allow it to isolate patterns, spot trends and generally go about its attack in a more clinical and successful manner. Going hand in hand with this potential intelligence (and it’s hard to say just how intelligent this script is without seeing it) is the scale at which these attacks could be carried out and the distributed nature of them.
There are, however, some simple tips you can follow to reduce the risk posed by attacks like this.
Don’t Use the “admin” User
I’m going to go out on limb and assume that this script attacks the site’s “admin” user – the user account automatically created when WordPress is installed that automatically gets granted full rights. If this is true (it’s been true of many similar attacks in the past) and easy way to reduce the risk of becoming a victim of such an attack would be to remove, disable or lower the privilege of the admin account.
To do this, click on Users, then Authors & Users and then click on Edit next to your admin user. I recommend changing the role to “Subscriber“, which basically gives them no rights. Have a look at this codex entry for more information on user roles.
Restrict Access to Admin Functionality
If you always access your WordPress site from the same location (physical location) then a viable tactic is to restrict access to your administration functionality to users from certain IP addresses. Fortunately, this is fairly trivial to do. The first step is to find out your IP address. This can be done a variety of ways, the easiest being a web service such as What is My IP?, which is free and quick. Once you’ve got your IP address, you’ll need to create a small text file on your server, called a htaccess file, that restricts access to this IP address.
Create a blank text file on your computer and paste the following text into it:
Order Deny,Allow Deny from all Allow from x
Replace the “x” with your IP address and save the file as .htaccess. No, that’s not a typo, it’s .htaccess. Note that if you’re on a Mac you’ll need to turn on hidden files because every file on a mac who’s filename begins with a period gets hidden from view. See this post from LifeHacker on how to display hidden files in OSX (it’s really not complicated). Once you’ve done that, fire up your FTP program of choice (Transmit, before you ask) and upload the .htaccess file you’ve just created to the wp-admin folder on the server.
You can read some additional information on .htaccess files here. .htaccess files only work with the Apache web server platform. If you use a different platform, such as Microsoft’s IIS, you’ll need to follow the appropriate instructions for that platform.
A word of warning. Using this technique is dangerous. It’s a bit like using a sledgehammer to crack a nut. If your IP address changes at some point in the future, which happens regularly with most home ADSL connections, or you need to access your site from a different location (when on the move, in a hotel or airport etc), you’re out of luck. The only way around this is to change or remove the .htaccess file. An alternative would be to add additional IP addresses to your white list. To do this, just copy the line beginning “Allow from” and add a new IP address.
Use A Plugin
The third option, which is less involved than manually adding a new .htaccess file is to use a plugin. One such plugin is called Login Lockdown and is described by the developer as such:
Login LockDown records the IP address and timestamp of every failed login attempt. If more than a certain number of attempts are detected within a short period of time from the same IP range, then the login function is disabled for all requests from that range. This helps to prevent brute force password discovery. Currently the plugin defaults to a 1 hour lock out of an IP block after 3 failed login attempts within 5 minutes. This can be modified via the Options panel. Admisitrators can release locked out IP ranges manually from the panel.
This particular plugin, and there are many alternatives, uses login attempts from IP addresses to detect potential intrusions. It takes a more conservative approach than a defaults to blocking .htaccess file and is configurable. This configuration, in theory, allows you to make the blocking more aggressive should you feel the need or less aggressive if it’s causing you issues. Despite this level of configuration, using a plugin does result in a lack of control which means you can get caught flat footed should the type of attack change (for example, if the IP addresses of the attack machines keep changing). For most users though, this reflects an acceptable compromise.
What tips do you have for securing your blogs against attacks like these? Let us know in the comments.
Comment Policy
Comments which contain links will be held for moderation. Please do not resubmit a comment if it does not immediately appear, it has likely been caught by our spam prevention system - it will be approved as quickly as possible.
By commenting here, you are granting us license to publish the content of your comment, and acknowledge that the authors of this website do not have a duty to modify or withdraw posts, but that we may do so if we choose, for any reason.
Please keep the discussion friendly. Offensive comments, comments which exhibit overt discrimination, comments which contain excessive profanity or racism will be removed without notice or warning. I also reserve the right to edit comments, but will not alter the meaning of any comment posted. Have fun, and be nice. kthxbye