In case you haven’t heard by now, WordPress sites around the world are under attack by a botnet that’s attempting to brute force it’s way into installations that have an active “admin” user. To say the least, it’s been causing me all kinds of grief for the last four days or so. It’s slowed down my web host to a crawl, and has caused a significant amount of downtime.
Being the diligent, persistent, obcessive guy that I am, I’ve done a ton of research, and come up with a few ways that you can protect your website if it’s being run on the WordPress platform.
Part 1 – Create a new WordPress admin user, and delete the original admin user.
Since most of the attacks that have occurred on WordPress sites are aimed at either exploiting a bug or hole in one of the files under the /wp-admin/ directory or by brute forcing a login on wp-login.php, the #1 easiest thing you can do to prevent being a victim is to create a new user in your WordPress control panel (Users -> Add New) and making that new user an Administrator. When creating that new user, be sure to do the folllowing:
- Make the new user’s name something that isn’t, well, obvious or standard. Don’t call it “newadmin” or “admin2″. Give it a unique name.
- Pick a really good password. At least 10 characters, use upper and lower case letters, use numbers, use symbols such as ! @ # $ % ^ & *. Make it hard to guess, impossible to pull out of a dictionary, but something you can remember.
When you’ve finished creating your new user and given it full admin rights, log out of WordPress and login with you new user. Make sure all of your access and settings are as they should be. Then, the most important step, delete the original admin user.
Part 2 – Plugins are your friends
There’s two plugins that I’ve found to be invaluable during this brute force attack: ThreeWP Activity Monitor, and Limit Login Attempts. The first plugin, ThreeWP Activity Monitor does exactly what its name suggests – it monitors the login activity of your WordPress site. It creates a new area on your Dashboard that lets you see information about login attempts on your site, including the username entered, password attempted, IP address, and user agent of the potential attackers. It’s pretty amazing to see how many attempts occur, and what passwords they’re trying.
The other plugin, Limit Login Attempts, does exactly that: It gives you the ability to configure limitations on how many login attempts can occur in a certain period of time, and then ban people (based on IP) when they violate those limits.
Part 3 – CloudFlare to the rescue
CloudFlare is a very cool service that started up a year or two ago (I believe) that provides both protection and acceleration to any website, hosted anywhere. They’ve got a free plan with good features, and a paid plan with better features (obviously). I used them on this site for a while, and for some reason I can’t remember I disabled their service initially. Today, though, I came across this great post on their blog about how they’re helping people to deal with the current WordPress brute force attacks. An excerpt:
We just pushed a rule out through CloudFlare’s WAF that detects the signature of the attack and stops it. Rather than limiting this to only paying customers, CloudFlare is rolling it out the fix to all our customers automatically, including customers on our free plan. If you are a WordPress user and you are using CloudFlare, you are now protected from this latest brute force attack.
Because CloudFlare sits in front of a significant portion of web requests we have the opportunity to, literally, patch Internet vulnerabilities in realtime. We will be providing information about the attack back to partners who are interested in hardening their internal defenses for customers who are not yet on CloudFlare.
Some web hosts, like my current host Dreamhost, actually have CloudFlare integration on their control panels, so you can quickly enable this to protect your site. I highly recommend using CloudFlare for a number of reasons, but for protection from this attack I cannot stress enough that you should sign up for a free account and get your sites protected immediately!
Part 4 – Not for the weak of heart: using .htaccess and .htpasswd to protect wp-login.php
Alright, this part is not for the newbs. This is a little higher on the technical skill level, because when working with .htaccess files you can do all kinds of terrible things like lock yourself out of your website entirely, or accidentally prevent images from showing up. If you know what a .htaccess file is and what it does, read on. If you don’t, you’re done with this post and get to protecting your WordPress sites with the rest of the stuff already listed.
Did you know you can protect a single file – not just directory – with .htaccess and .htpasswd? Yup, you can. Instead of typing what’s already been typed several times, head on over to this awesome post from HostGator on how to password protect your wp-login.php file for a second level of security, so the brute force attack can’t even touch your wp-login.php.
That’s it. Good luck, be safe, and keep fighting the good fight!