I host and manage a number of websites for other people as well as my own, many of which are self-hosted WordPress blogs. And since I manage the host configuration and status myself, I often monitor the webserver access logs and error logs to check for problems.
Recently I noticed that the WordPress login pages for many of the sites were getting an unusual amount of traffic. As I took a closer look, I realized that hackers were running scripts that continuously posted the login form in an attempt to crack into the sites by brute force. They were posting a new login attempt every second or more.
Not only is this annoying and dangerous, it also was eating up server resources.
At first I manually blocked the IP addresses of the hackers by adding a custom rule to the server firewall. But I also started looking for some tools to help automatically detect and protect WordPress websites from hackers running brute force attacks. And I found some very helpful plugins and tools. In addition to the official security recommendations from WordPress, here are some that I have found helpful to deal with these problems.
Login Security Solution is a WordPress Plugin that automatically tracks failed login attempts. If the number of failures passes a certain configurable threshold it will email you a notification of the hacking attempt and it will automatically begin artificially slowing down the amount of time it takes for the login form to process so that each login attempt takes much longer for the hacker’s brute force program.
Brute force cracking depends on the hacker being able to try guessing the password over and over until it gets a positive result. By slowing down the process it makes it far less likely that the program will succeed.
In addition to notifications to the administrator and slowing down the process, if the hacker does succeed in logging in, the Login Security Solution plugin flags the account and requires a password reset through the account owner’s email address before letting the user log in. So even if they managed to crack the password, they wouldn’t be able to do anything unless they also had access to your email.
Of course, cracking a password is easier if WordPress blog users are using weak, simple passwords. Login Security Solution also can enforce password strength, so you can force all of your users to change their passwords to be harder to crack. It can also require your users to change their password on a regular schedule, like every 90 days and automatically log them out after a certain amount of idle time.
If you have a Google Account and a cell phone then you really should be using 2-Factor Authentication already. 2-Factor Authentication requires that you not only use your password to log in to your Google Account, but that you provide a unique numeric code that changes every 30 seconds. You get that code through your cell phone as a text message, a voice message, or through a special application for smart phones called Google Authenticator (available for iOS, Android, and Blackberry).
If you are using the Google Authenticator app already, you can also use it to require 2-factor authentication for your WordPress blog using the Google Authenticator Plugin for WordPress. The requirement can be enabled on a per-user basis, so you can require Google Authenticator for the administrator accounts for your blog, but let less privileged users log in with out it.
If you are using the WordPress app to manage your blog from your smart phone or tablet that uses the XMLRPC interface to connect to WordPress instead of the standard login, you will have to generate a special Application specific “app password” for it to use.
If you or your hosting provider install mod_evasive it will monitor the number of requests and temporarily deny access to IP addresses that request the same page too many times within a certain configurable amount of time, or that hit the same website too many times in a short amount of time.
For example, it can be configured so that if the same IP address hits the exact same page 4 times in 7 seconds they should be blocked for the next 10 minutes because real visitors don’t load the same page 4 times in only 7 seconds; that is behavior exhibited by automatic programs that post spam or try to crack passwords, not real people.
It does take some monitoring and tweaking, because you don’t want to restrict legitimate visitors accidentally, but it is an excellent way to shut down Brute Force attacks, Spammers, and Denial of Service attacks at the web server level. It can be configured to send you an email notification every time it denies an IP address.
One thing to keep in mind also is that if you use mod_evasive you may need to manage the Crawl-delay directive in your robots.txt files for your websites to make sure that legitimate web crawlers like Google, Bing, and Yahoo delay enough time between hits that they don’t accidentally trigger mod_evasive and get denied. A bot that ignores the Crawl-delay you specify in robots.txt should probably be denied anyway.
At first when I installed these plugins and modules, I was alarmed at the number of notifications I was receiving of login attacks and blocked IP addresses, as were some of the blog owners. But it is better to be aware of what is happening to your websites and take action than to live with a false sense of security. Many WordPress sites are under regular attack and don’t even know it.
As an added benefit, these tools have helped significantly decrease the resource use and load on the web server. Performance across the websites has increased because they are no longer being bogged down by continuously being hit by bots