WordPress based sites have been under attack over the last week or so. It has been a massive attack for hacking blogs and sites that are using WordPress content management system. This attack seems to be on a very large-scale which seems to be affecting WordPress sites globally. According to CloudFlare, a content delivery network with integrated security, they have blocked more than 60 million malicious requests to its customers.
The botnet which is spreading this attack seems to be very powerful and is capable of brute forcing 2 billion passwords per hour. And the botnet is brute forcing from more than 100,000 IP addresses. This will make it absolutely impossible to defend against if anyone is using any IP address blocking techniques or limiting login attempts per IP because the botnet will be able to change the IP address and try again every second for 24 hours.
Matt Mullenweg of WordPress wrote a short article about this brute force attack and offered a solution too. Let’s take a look what he says:
Almost 3 years ago we released a version of WordPress (3.0) that allowed you to pick a custom username on installation, which largely ended people using “admin” as their default username. Right now there’s a botnet going around all of the WordPresses it can find trying to login with the “admin” username and a bunch of common passwords, and it has turned into a news story (especially from companies that sell “solutions” to the problem).
Here’s what I would recommend: If you still use “admin” as a username on your blog, change it, use a strong password, if you’re on WP.com turn on two-factor authentication, and of course make sure you’re up-to-date on the latest version of WordPress. Do this and you’ll be ahead of 99% of sites out there and probably never have a problem. Most other advice isn’t great — supposedly this botnet has over 90,000 IP addresses, so an IP limiting or login throttling plugin isn’t going to be great (they could try from a different IP a second for 24 hours).
The solution offered in his article is quite workable but it becomes difficult for people to use two factor authentication if they are not using an Android phone. And I hope, a lot of people including me are not using Android phones. So the people who can’t use two factor authentication solution will need to find another solution.
I have installed Better WP Security plugin which provides a lot of ways to keep yourself on a safer side from these types of brute force attacks. I will only discuss some features of Better WP Security plugin which will help you harden your WordPress security from brute force attacks.
Before going through the plugin features, let’s see how the botnet attack WordPress sites. The botnet will mostly attack sites which default configurations. This is because if the default configurations are not there, it will require manual action and human intervention for a hacking attempt.
So our best bet would be that we change everything which is configured by default in WordPress. We will be changing the following for our WordPress site using Better WP Security plugin.
- The default admin username
- The default admin ID
- The default login URL
- The default registration URL (only if you have open registrations enabled)
- The default admin URL
These are the absolute basics if you want to prevent brute force attacks which are carried by botnet.
When you install Better WP Security, a new menu will appear named “Security”. You can click on the menu which will take you to the dashboard. You will have two options by default:
- Secure my site from basic attacks
- No thanks, I prefer to do configure everything myself
Obviously, I prefer to configure the plugin myself so I select the second option.
Now go to the “User” tab. It will have two options.
- Change the admin user name
- Change the admin user ID
We need to change both. Make sure that your WordPress installation does not have a common username like “admin”. You should keep the usernames hard to guess and remember like passwords.
Now go to the “Hide” tab. On this configuration screen, you will be able to change the login URL of the site. The default URL for WordPress based sites is yoursite.com/wp-login.php. Since this is very common, the botnet and even the hackers themselves will try to login to the site using this default URL. You can change the URL to something which is difficult to guess. Please do not use the default ones like login, register and admin. Change the URL slugs completely to make your site administration hidden.
Following these steps will make sure that you are preventing a large majority or hacking attempts which are carried out by botnet and other automated attacks. What is your WordPress site’s security structure? Please share your views with us in the comments.