Better Way to Defeat WordPress Brute Force Attack

It should be well-known throughout the WordPress community, that WordPress-powered websites are being targeted with brute force attacks. It targets website that still use “admin” as the primary administrator’s user name, with variation like “adm”, “administrator”, “admin1”, “Admin”, etc. The attack was peaked in April this year, but it didn’t stop. My website was under Brute Force Attack just few days ago. I got lucky, not because I don’t have “admin” account, but because I have better protection.

If you consider having an “admin” account existing on your site is the problem, think again. Having “admin” account is only part of the problem.

Why Simply Remove “admin” Account is not the Ultimate Answer

The nature of brute force attack is to check all possible keys (username & password) until the correct one is found. Therefore, the attacker doesn’t know whether there is a user called “admin” (including variations), but keeps on trying. In this case, memory consumption on targeted server will increase. This will results in low server performance, and unresponsive server.

That’s why even “admin” account doesn’t exist on your site, it won’t help to stop the attack on time, and to reduce the impact on your website performance.

Better Security Solution

Therefore, to put ourselves in a better position, we should:

  • Secure username (including not using the well-known “admin”)
  • Harden the password
  • Secure the login process

to meet these criteria (except the password), here is my solution:

1. Disable Author Scan

Guessing user name is part of the game. Offering “admin” gives away 50% credentials of your website login to hackers. It is just a matter of time for hackers to figure out valid usernames by running some scripts scanning author names. Therefore, removing this option from configuration offers better protection than simply renaming “admin” user.

Following script is to block hacking tools from finding a valid user name. It should be added to your .htaccess file:

# BEGIN block author scan
<IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /
    RewriteCond %{QUERY_STRING} (author=\d+) [NC]
    RewriteRule .* - [F]
</IfModule>
# END block author scan

[Update on Dec 09, 2013] This will cause “404 Page not Found” error while using WordPress Export function. Use this method when you don’t use WordPress Export tool.

 

2. Limit Login Attempts

On most secure websites, users only have limited login attempts. Failed login session will be locked for quite substantial period of time before the next login attempt. This is a very effective security measure in dealing with Brute Force Attack. WordPress don’t have this mechanism by default, it can be strengthened through plugin.

There are many plugins can do this. The one currently working on my website is called Limit Login Attempts. The plugin gives you few options to control how many failed attempts before lock access from one IP, it also keeps track on lockout IPs. You don’t have to be on the admin panel all the time. Limit Login Attempts can send you notification email after certain amount of lockouts has been reached.

Limit Login Attempts also keep lockouts in a log file, for example:

80.32.xxx.xxx    Admin ( 2 lockout)

I will then use this as a reference, and add those IPs to IP blacklist in .htaccess file. By using IP blacklist, the suspicious IPs can be locked out from accessing my site.

 

3. Use 2-Factor Verification

2-Factor verification provides extra layer of protection on top of the existing username & password authentication. To add this mechanism to the website, we need a plugin to modify the default WordPress login process, and a program that generate the 2nd verification code. A practical solution is to use Google Authenticator app on your smart phone, which generates a code that only valid for a short window of time. One has to input the second verification code within this period.

To do so, we need Google Authenticator app on the mobile device to generate the verification code, and Google Authenticator plugin on WordPress site. The plugin allows you enable 2-factor verification on per-user basis, which is pretty flexible to add required security to admin account, but leave out the trouble on privileged accounts.

 

If you don’t like dealing with code, but don’t mind a few extra clicks for the login. Limiting the login attempts plus 2-Factor verification is a simple yet very effective solution to strengthen website security against WordPress brute force attack.

2 thoughts

  1. Could you elaborate more on the Block Author Scan?
    Will this keep the author name from appearing in the post byline? or Will it prevent rel=author from working?

Comments are closed.