Unlike other method of hacking which means more elaborate methods, when we think about WordPress web sites our minds of security stuff go directly to Brute Force Attacks.
From the early years of WP there it is a wp-login.php file on the root directory and a folder /wp-admin.
Also there are thousand of user which are using as administrator user name ‘admin’ with very simple passwords like admin123 or other simple to guess passwords.
Well, the hackers from all the times will use this bad passwords to enter any system.
Even in 1990′ the hackers was using scripts to generate automatic login tries with a dictionary of low security passwords.
But the world evolved during those years, the internet speed it is now very high and also the computers are more powerful.
The actual Brute Force Attack it is made using some softwares, easy to find on Internet using torrents or .onion websites. The most of the programs are open source, free to take and to develop.
With a such kind of program the hacker will request up to a few hundreds of passwords per minute. This means that you have no chance with a easy password.
But why the hackers want to break your wordpress website? The reasons are a lot: maybe somebody want your website down. Or more simple, today it is a big request to have access at „doesn’t matter” what website to spread viruses, malware or ransomware in Internet. Normal, after all a hacker will prefer to not pay money for web hosting. And it is not about the money, it is about the fact that it is preferable to be hard to traced.
OK, now you have a wordpress web site, a nice one, but you think: how to make it secure?
The simplest way it is to contact a security company in order to secure your wordpress site.
If you don’t want this you could try a few things which will help you a lot.
- Change your administrator username from ‘admin’ in something else. This it is the most important step after all. You could put any username you wish
- The password ‘admin123’ will be guess even by my 10 years old child, so it is the time just to change this password. Use a different password from what you use on other accounts of yours. Think that if you use your password from Facebook and your Facebook account it is compromised, the hacker will gain access to your wordpress website
- Change the name of the ‘wp-admin’ folder in something else and try to password protect that folder. In this way you wiil have a ‘two step’ authentication system. Even it is not encrypted will be more difficult to break it.
- If you are more paranoid you could limit the authentication to only the IPs where from you want to log-in. But you should know very well those IPs because you will not be able to login on your website from any other IPs not on your list.
- Block the IPs where from are coming the attacks. But please be advised that once you block an IP or a class of IPs nobody from that IP or IP class will be able to access your website
- Use Fail2ban Python to deny the failure login requests
- Finally we understand that maybe the last two solutions and what we want to write starting with 7 it could be too difficult for an end user because it is more technical, including scripts and server administration. So when you choose web hosting try to know before if the team of the webhosting know to manage the brute force attacks.
For example we receive data from all web site hosted on our datacenter. It exist an option where the client could choose to send the hacking requests to us. It is a free option after all which doesn’ send to us the customers sensitive data, only the reports.
Using our servers options we deny the attackers IP addresses so if those hackers try to break into another web site from our NOC it will be automatic rejected with a very short text telling them why are they rejected. So if the IP was used only once to such kind of action and now the IP is clear, we could unblock that IP if this it is requested. In this way the hacker it is blocked before reaching your website.
We also use special honey spots in order to direct the attacks where we want to catch most of them in the honey spot.
During the time we wrote those we have had 10 attacks, each one with more than 1000 pass try, but limited by our servers to 10 tries of password. After each wrong password the server delayed the next request, so no accounts was in a big danger, only those with very bad passwords, but really very bad passwords.
This because after the first attack we are informed by the respective server and we block the IP.
You will find on the next articles how to choose a good password without using automatic generated passwords which are impossible to memorize