[wp-hackers] Admin Login Brute Force Attacks

Chris Williams chris at clwill.com
Wed Mar 20 18:19:11 UTC 2013 

I have about a dozen WP sites that I manage, and recently experienced a break-in on many of them.  After a bunch of work I located all the hacked files (virtually every index.php, header.php, footer.php, and functions.php they could find) along with some cute additions to wp-includes, and cleaned up the sites.  Was annoying, especially since the attack got the sites listed on AVG's threat labs for 30 days.  Ugh...  But that's behind me.

I rigorously keep them up to date (see other thread) in all but one case where updates are prevented by dependencies.  Nonetheless, the sites are under constant attack (lately from one especially tenacious IP address in Russia) attempting brute force attacks on the admin account.  I believe this is how access was gained.  Since this attack I have:

 *   Removed the "admin" account in favor of another username with admin privs.  Should have done this ages ago, of course
 *   Gone with much more robust (and different per site -- doh!) passwords for the account with admin privs
 *   Set the config parameter to remove file editing capability (I believe this is how the files were changed)
 *   Installed the "exploit scanner" plug-in and review it at least weekly
 *   Installed the "limit login attempts" plug-in and have it send me lockout information

Since I have taken these measures, the sites have been clean.  Still, the sites are under attack, and I get daily notices from "limit login attempts" of IPs being locked out due to repeated attempts to login to "admin".  They get four tries, after that they get an hour timeout, if they get four hour timeouts, they are locked out for a day (and I get a notice).  At least one of my sites sends me a notice every day.  Often from this same IP.  At least I know they aren't getting more than 16 tries a day :)

Of course, I could simply put this IP in the .htaccess file, and I will likely do that if s/he doesn't give up here soon.  But this has me thinking about what WP could do in core to improve defense against brute force attacks against accounts with administrator privileges.

I'd like to see WP have as core functionality at least two things:

 1.  Limiting of login attempts.  Virtually every system that uses username/password to control access has some limit on attempts.  They vary widely, but the approach the "limit login attempts" plugin uses is pretty good.  I'd like to see this in core.
 2.  Some recording of logins, at the very least "last login date/time" per user.  So when you are logged in, up there near "Howdy" would be "last login at: xxx".  If this had been in place, like it is on my bank account and many other places (that I check every time I log in), I would likely have noticed the brute force break-in days sooner and limited the damage.

As someone on the other thread noted, WP has done a great job of closing up vulnerabilities, but literally every WP site on the planet (all 60,000,000 of them) is vulnerable to brute force attacks.  These seem like small, relatively easy measures to help defend against them.

Chris

More information about the wp-hackers mailing list