[wp-hackers] Admin Login Brute Force Attacks

Joan Artés jartes at gmail.com
Wed Mar 20 19:09:04 UTC 2013


I also recommend the Firewall 2 Plugin (http://wordpress.org/extend/plugins/wordpress-firewall-2/) to avoid sql injection attacks and more. 

I know that this plugin is not updated since 2010 but it works and does his job (I have installed over 100 sites).


Joan Artés 

El 20/03/2013, a las 19:54, Alex Rayan <alexrayan69 at gmail.com> escribió:

> Hi Chris,
> I'm also managing dozens of Wordpress instances and have "limit login
> attempts" installed on most of these sites. I also disabled the error
> message that is displayed on incorrect username / password attempt by
> default since this message shows specifically what (username or password)
> was incorrect.
> With that disabled brute force attacks are pretty useless with a strong
> username / password combination so one wouldn't need to worry about that.
> I also have "Activity Monitor" plugin installed that allows you to monitor
> selectively what activity happened in the backend including login attempts
> with incorrect passwords and usernames tried.
> Most of the logs of Activity Monitor show that the first and only username
> tried in brute force attacks is "admin". And since the error message for
> incorrect login is disabled, there is no way for the code to know that
> "admin" username doesn't exist, so the code usually keeps trying to "guess"
> the password for the username "admin".
> In short, brute force attacks is a common occurrence, but by disabling the
> error message we could significantly limit the possibility of "guessing"
> the right username / password combination.
> Best regards,
> Alex
> On Wed, Mar 20, 2013 at 2:19 PM, Chris Williams <chris at clwill.com> wrote:
>> I have about a dozen WP sites that I manage, and recently experienced a
>> break-in on many of them.  After a bunch of work I located all the hacked
>> files (virtually every index.php, header.php, footer.php, and functions.php
>> they could find) along with some cute additions to wp-includes, and cleaned
>> up the sites.  Was annoying, especially since the attack got the sites
>> listed on AVG's threat labs for 30 days.  Ugh...  But that's behind me.
>> I rigorously keep them up to date (see other thread) in all but one case
>> where updates are prevented by dependencies.  Nonetheless, the sites are
>> under constant attack (lately from one especially tenacious IP address in
>> Russia) attempting brute force attacks on the admin account.  I believe
>> this is how access was gained.  Since this attack I have:
>> *   Removed the "admin" account in favor of another username with admin
>> privs.  Should have done this ages ago, of course
>> *   Gone with much more robust (and different per site -- doh!) passwords
>> for the account with admin privs
>> *   Set the config parameter to remove file editing capability (I believe
>> this is how the files were changed)
>> *   Installed the "exploit scanner" plug-in and review it at least weekly
>> *   Installed the "limit login attempts" plug-in and have it send me
>> lockout information
>> Since I have taken these measures, the sites have been clean.  Still, the
>> sites are under attack, and I get daily notices from "limit login attempts"
>> of IPs being locked out due to repeated attempts to login to "admin".  They
>> get four tries, after that they get an hour timeout, if they get four hour
>> timeouts, they are locked out for a day (and I get a notice).  At least one
>> of my sites sends me a notice every day.  Often from this same IP.  At
>> least I know they aren't getting more than 16 tries a day :)
>> Of course, I could simply put this IP in the .htaccess file, and I will
>> likely do that if s/he doesn't give up here soon.  But this has me thinking
>> about what WP could do in core to improve defense against brute force
>> attacks against accounts with administrator privileges.
>> I'd like to see WP have as core functionality at least two things:
>> 1.  Limiting of login attempts.  Virtually every system that uses
>> username/password to control access has some limit on attempts.  They vary
>> widely, but the approach the "limit login attempts" plugin uses is pretty
>> good.  I'd like to see this in core.
>> 2.  Some recording of logins, at the very least "last login date/time"
>> per user.  So when you are logged in, up there near "Howdy" would be "last
>> login at: xxx".  If this had been in place, like it is on my bank account
>> and many other places (that I check every time I log in), I would likely
>> have noticed the brute force break-in days sooner and limited the damage.
>> As someone on the other thread noted, WP has done a great job of closing
>> up vulnerabilities, but literally every WP site on the planet (all
>> 60,000,000 of them) is vulnerable to brute force attacks.  These seem like
>> small, relatively easy measures to help defend against them.
>> Chris
>> _______________________________________________
>> wp-hackers mailing list
>> wp-hackers at lists.automattic.com
>> http://lists.automattic.com/mailman/listinfo/wp-hackers
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers

More information about the wp-hackers mailing list