WordPress Security Recommendations - Brute Force Attacks

Started by Jason, August 14, 2013, 08:41:23 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Jason

It's come to my attention that there are a significant number of serious WordPress brute-force hack attempts going on in the wild. 

To simplify what's happening -- People are using botnets (networks of compromised computers) to attempt to try passwords over and over until they break into WordPress installs.  In some cases, they have literally many thousands of computers trying passwords almost simultaneously.   We've seen some of these larger attempts in the last few weeks and they can literally consume all server resources within mere minutes causing the server to crash.  This is due to how the attackers attempt to login -- when they try a fake login, they consume a mysql connection and hundreds/thousands of these in a focused attempt overwhelm what a server can handle causing it to crash.

We're working on implementing some server-level techniques but we need your help to combat this growing trend.

Recommendations:

First steps:
1. Ensure you're running the latest version of WordPress, plugins and themes.  Wordpress makes it easy to upgrade itself, its plugins and themes.   The most common instances where I see accounts compromised occurs when these things aren't kept up to date.  If you install WordPress, make sure to login every few weeks and run any upgrades it recommends.  (Of course, make sure you backup your site first).

2. Ensure that your WP logins have COMPLEX passwords.  I would recommend changing them regularly just in case.  Just to be clear, here is what a complex password looks like:  Z;nzs/;*G;*8L6;   

If your passwords don't look like this, it's unfortunately time to start looking into this.  Technology today makes it very easy to break/steal passwords and if you use a simple one, it's almost as if you're not using one at all.  And if you use the same password on multiple sites, you should consider your password stolen there too.   If I can only pass along one useful point in this post it's this -- use *different* passwords that are *complex* for every website you login in to online.  I recommend using a password organizer. There's lots of them available and they allow you to remember one main password so you can login to the tool and then you can store as many passwords there as you need.  I personally recommend  www.keepass.info.  It's free.

3. Also, check the WP users to make sure there aren't any new accounts there that you don't recognize. This could be a sign that someone else has access to your account.

Second steps:
1. Don't use "admin" as your login.
2.  Use very complex passwords.
3. Password protect your wp-admin login page using cPanel.
4. if you only use specific computers for editing your site, use .htaccess rules to only allow your IP address range.
5. Deny Access to No Referrer Requests.
6.  Rename your wp-admin folder to something random.

Some of the steps above are more complex than others but they are ways you can spend a little bit of time to avoid a significant headache later. 

VERY USEFUL reading:

http://codex.wordpress.org/Brute_Force_Attacks

There will likely be more to come but please feel free to post questions or comments here.  The more we discuss it, the better we all become educated about ways to add extra security to our sites.

Thanks,
Jason

Mark

A couple more tips here:

1. Absolutely do not, under any circumstances, even think about, ponder if it's easier to, or even attempt to use the same password you've used for your cPanel account or the MySQL account you've created for your WP install (nor should you use either of those two interchangeably) as your WP account password.

2. Setup your WordPress install to display your name or nickname and not your username for posts. That can be done under your profile if you're using the latest version of WP (as you should be) and has been a feature for some time. If you've not filled out those fields in your profile, do so at once and change it!

3. As of a few versions back, when you install WP you're allowed to specify a username (which should never be admin), however in old versions of WP it defaulted to admin. If you're in this boat, or you went ahead and used admin in a newer version, you can change it using the Admin Renamer Extended plugin mentioned in the  WP article Jason linked above.

4. Finally, and above all else, as Jason stated and it can't be said enough, use complex and unique passwords for everything you do!

Jason

Thanks Mark!  Solid suggestions.

To add to your password utility comment -- Keepass.info does have a portable option.  You can set it up on a flashdrive without having to "install it" per se.  I have it setup like this on multiple computers (including my adroid phone) and then I just move the password file to them whenever I update it.  Even easier, I have a flashdrive on my keychain which is never out of my reach that I can plug in to any computer and have full access to my passwords. 

Ultimately, the point is that I don't even know my passwords -- I have probably several hundred of them that are all very complex.  I just need one main password to login to my password tool to access them.  Worst case if I lose someting, I can always reset it but the important thing is that they're all different and they're all complex.

Mark

Oh! Well, never mind then. Why pay for one when you can support opensource! Also didn't notice there was an Android option. :)

That being said, that sounds a lot better than syncing via Dropbox as well. No need to have a password DB "all up in the cloud".

And I just read that WordPress article you linked, there's a plugin to change your username, so I'll adjust my post as such. Probably much much safer.

CountryLady

Jason, Thanks for the fantastic description of what we can do to keep our sites protected.
Mark's suggestions are very helpful as well. (Thanks, Mark~!)
I plan to start using WordPress soon, so this suggestion is timely indeed.

Its time for us to become part of the solution when it comes to the security of our websites.

I really do enjoy the way you do business as a hosting company~! :D
Chance favors the prepared. Come join us at OurCountryHaven.

dania

Thanks everyone,

I always keep my software updated, use passwords I hope no one can figure out. I WILL be changing all my passwords now.

I see SMF had also been asking their communities to change our passwords there too.

Why don't these people just get a life. >:( >:( >:( >:(

Countrylady you will love Wordpress for its ease of use. Cpanel will have the very latest in thirteen and it has a lovely theme.

If anyone using WP is NOT uptodate you can't have theme thirteen, you *have to be on 3.6 to get the theme..

For everyone not up to date here is what your missing.

QuoteRename your wp-admin folder to something random.

That would worry me Jason, is it safe... (still have our sites to edit normally) to do that? I never rename WP folders/directories once Installed.

Also is there possibly in htaccess a code to prevent hacks,  I never have allowed comments on any WP, I go to cpanel and strip it, even RSS.
For God so loved the world, that he gave his only begotten Son, that whosoever believeth in him, should not perish, but have everlasting life.

Jason

Quote from: dania on August 15, 2013, 03:47:44 AM
QuoteRename your wp-admin folder to something random.

That would worry me Jason, is it safe... (still have our sites to edit normally) to do that? I never rename WP folders/directories once Installed.

I've seen mixed feedback on this.  Last I checked I believe it's possible but it may not be as effective as password protecting the folder or using something like this:

http://wordpress.org/plugins/stealth-login-page/