This is a month that will go down in infamy. Well, at least as far as WordPress security goes. There is a massive worldwide “brute force” attack going on and servers far and wide are experiencing slowdowns and lockouts.
There is not alot of information yet. The attack is known to be using forged or spoofed IP addresses. It is trying to guess passwords – that’s why it’s called a “brute force” attack.
SOLUTIONS – server level
The solution I’ve opted for – at least for now – is to protect all WordPress login pages with HTTP authentication on the server level with 1 script. This should foil all attacks – they wont even load the login page – unless the attack script gets smarter that it is now. The nice thing about this solution is that I can easily edit or reverse it without editing all sites.
SOLUTIONS – via plugins
First of all, make sure you don’t have any users with the default username “ADMIN” – that’s what this attack is targeting. But even if you don’t have any users with that name the attack can still slow down your server.
Stealth Login Page
After much hunting for a plugin-based solution I finally found this. It will easily let you obscure your login page so these attacks won’t have a chance to slow your server down. I suppose the server has a small overhead when dealing with the redirect for requests for the default login URL but that must be much lower than having to serve the login page and bounce incorrect logins (and track IPs of incorrect logins). It allows you to redirect all requests to the default login page while preserving requests that add a short configurable code to the login URL.
The better solution is to block the default login URL via http authentication as mentioned above – but many users will not know how to set that up.
Custom-login-stealth-login
update: This URL is not working today (april 26) but the rest of the site works so hopefully will be fixed soon
this plugin is a paid version of what the free plugin above does ($9.99). It integrates with a free “Custom login” plugin that allows you to customize the look of the login page. It allows you to redirect or “kill” all requests to the default login page while preserving requests that add a short configurable code to the login URL. This plugin requires Custom Login > version 2.x which can be downloaded for FREE in the WordPress repo.
Google Authenticator
I have not used thus one but it sounds like a good option yet needs more “stuff”. The Google Authenticator plugin for WordPress gives you two-factor authentication using the Google Authenticator app for Android/iPhone/Blackberry. You need the Google Authenticator app installed on your smartphone.
Captcha
This plugin will let you add a math CAPTCHA to the login page – and a variety of other locations as well. At this point the spam robots can’t get past even a simple CAPTCHA so it should do something to help with server slow downs due to frequent attacks – however the spam robots can still access the login page and therefore still slow down your server via many requests.
A better solution might be to block the submit button somehow – but I’m not sure such a plugin exists and if it did I’m not sure how easy it would be for the robots to still submit the form even if the UI blocked the submit button.
SOLUTIONS – other good plugins
These other plugins offer great features – but won’t help much for this particular attack…
1) Better WP Security
This plugin does alot more than limit your login attempts – so it has a chance of cleaning up whatever wil cause the next big security issue. it’s got a great ‘easy’ mode where it will highlight the 5 or so highest priority items that need attention. And it will clean those items with just a couple clicks. The plugin also has lots of useful information to teach you about security. The downside is that there are lots of tabs and lots of options and it takes time to find your way around.
2) Limit Login Attempts
This is nice and simple. as soon as you turn on the plugin it just starts working. It will escalate lockouts from 20min to 24 hours so that’s a nice feature. It’s default is 4 tries and in this current situation that might be a bit too many but it depends how many sites are on your server.
WORDPRESS SECURITY LINKS
- http://blog.hostgator.com
- http://blog.sucuri.net
- Forbes: Wordpress Under Attack: How To Avoid The Coming Botnet
- NextWeb summary
- Matt’s advice
security side note: the Social Media Widget plugin (social-media-widget) is being used to inject spam into websites and is recommended to be removed.