[wp-hackers] Admin Login Brute Force Attacks
niladam at gmail.com
Wed Mar 20 18:49:40 UTC 2013
On Wed, Mar 20, 2013 at 8:19 PM, Chris Williams <chris at clwill.com> wrote:
> I have about a dozen WP sites that I manage, and recently experienced a
> break-in on many of them. After a bunch of work I located all the hacked
> files (virtually every index.php, header.php, footer.php, and functions.php
> they could find) along with some cute additions to wp-includes, and cleaned
> up the sites. Was annoying, especially since the attack got the sites
> listed on AVG's threat labs for 30 days. Ugh... But that's behind me.
> I rigorously keep them up to date (see other thread) in all but one case
> where updates are prevented by dependencies. Nonetheless, the sites are
> under constant attack (lately from one especially tenacious IP address in
> Russia) attempting brute force attacks on the admin account. I believe
> this is how access was gained. Since this attack I have:
> * Removed the "admin" account in favor of another username with admin
> privs. Should have done this ages ago, of course
> * Gone with much more robust (and different per site -- doh!) passwords
> for the account with admin privs
> * Set the config parameter to remove file editing capability (I believe
> this is how the files were changed)
> * Installed the "exploit scanner" plug-in and review it at least weekly
> * Installed the "limit login attempts" plug-in and have it send me
> lockout information
> Since I have taken these measures, the sites have been clean. Still, the
> sites are under attack, and I get daily notices from "limit login attempts"
> of IPs being locked out due to repeated attempts to login to "admin". They
> get four tries, after that they get an hour timeout, if they get four hour
> timeouts, they are locked out for a day (and I get a notice). At least one
> of my sites sends me a notice every day. Often from this same IP. At
> least I know they aren't getting more than 16 tries a day :)
> Of course, I could simply put this IP in the .htaccess file, and I will
> likely do that if s/he doesn't give up here soon. But this has me thinking
> about what WP could do in core to improve defense against brute force
> attacks against accounts with administrator privileges.
> I'd like to see WP have as core functionality at least two things:
> 1. Limiting of login attempts. Virtually every system that uses
> username/password to control access has some limit on attempts. They vary
> widely, but the approach the "limit login attempts" plugin uses is pretty
> good. I'd like to see this in core.
> 2. Some recording of logins, at the very least "last login date/time"
> per user. So when you are logged in, up there near "Howdy" would be "last
> login at: xxx". If this had been in place, like it is on my bank account
> and many other places (that I check every time I log in), I would likely
> have noticed the brute force break-in days sooner and limited the damage.
> As someone on the other thread noted, WP has done a great job of closing
> up vulnerabilities, but literally every WP site on the planet (all
> 60,000,000 of them) is vulnerable to brute force attacks. These seem like
> small, relatively easy measures to help defend against them.
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
More information about the wp-hackers