- Avoid Obvious Passwords: A simple check of the security requirements recommended by WordPress will make brute force attacks much more difficult. As Mike Isaac points out in All Things D, “Hackers go after the low-hanging fruit, which is most often found in the novice Web users who don’t take the time to switch from their default login information.” A secure password is a mix of at least eight upper and lowercase letters, numbers and the kinds of ‘special’ characters used to depict curse-words (^%$#@*)!
- Ditch The Admin Username: The attackers are in possession of 90,000 IP addresses from which they are trying to crack the default “admin” accounts on WordPress installations. So if you are still using “admin,” create a new user with admin privileges (you will need to use a different email address than the one attached to the current admin) and give it a strong password as defined above. Then log back in as the new user and delete the old admin account and assign all of the posts in that account to the new user. Five minutes, tops.
- Use Two Factor Authentication on WP.com: If you have a WP.com account, take advantage of their two-step authentication which assures that you are a human logging in, not a bot.
- Update WordPress: Many hackers exploit holes that have ben identified in older versions of WordPress, so keeping your install up to date is another easy way to avoid trouble, though this is not as immediately relevant as the above two action items. WordPress founder Matt Mullenweg advises that if you do these first three “you’ll be ahead of 99% of sites out there and probably never have a problem.”
- Install A Security Plugin: Using something like the Better WP Security plugin is probably agood idea in general, it won’t do anywhere as much in this case as the suggestions higher up the list. Mullenweg writes, “Most other advice isn’t great—supposedly this botnet has over 90,000 IP addresses, so an IP limiting or login throttling plugin [like Better WP Security] isn’t going to be great (they could try from a different IP a second for 24 hours).”
- Consider A Service Like CloudFlare: The Ars Technica article recommends, “operators can sign up for a free plan from CloudFlare that automatically blocks login attempts that bear the signature of the brute-force attack.” Just remember that, as Mike Isaac points out, CloudFalre itself has been “ringing the alarm bells (while simultaneously pimping the company’s own security services.)” See this post from the CloudFlare blog that raised this issue to the awareness of Goodin and Isaac, and make your own judgement
WordPress Login – Brute Force Attack
Recently, there was a worldwide, highly-distributed WordPress attack. This attack was known for using forged or spoofed IP addresses. During the attack, we actively blocked the most common attacking IP addresses across our server farm. If this type of attack happens again, we will again take appropriate measures.
Measures You Can Take to Prevent Similar Attacks
The following steps can be used to secure (by password protection)
wp-login.php for all WordPress sites in your cPanel account. This will help deter this type of attack.
How to Password Protect the wp-login.php File
There are two (2) steps in accomplishing this. First you need to define a password in the
.wpadmin file, and then you activate the security in the
Step 1: Create the Password File
Create a file named
.wpadmin and place it in your home directory, where visitors can’t access it. (Please note there is a period preceding the wpadmin in that file name.) The following example is for cPanel. Plesk would require placing the file in
(where “username” is the cPanel username for the account.)
Put the username and encrypted password inside the
.wpadmin file, using the format
(where “john” is a username of your choice, and the password shown is encrypted.)
Step 2: Update the .htaccess File
All domains under the home directory will share the common
.wpadmin file. (The command listed in Option B above creates the
/home/username/.wpadmin file due to the
The last step is to place the following code in the
ErrorDocument 401 "Unauthorized Access"
ErrorDocument 403 "Forbidden"
AuthName "Authorized Only"
Note: replace “username” above with your cPanel username.