WordPress Brute Force Attacks: Quick Simple Solution
Protect yourself by limiting wp-login.php to your IP address
If you are a WordPress user, this is all you need to know – the WordPress brute force attacks that occurred last week can be mitigated with one simple technique: restricting which IPs can access your wp-login.php page. That’s it. The reason last week’s WordPress brute force attacks were so effective is that rather than one single computer IP address attempting to guess your password, tens of thousands were used, which means that the attack could occur without sounding some of the traditional alarm bells.
But why risk relying on security plugins that may fail you when you can fix things yourself? And why install new software when the fix will take 2 minutes? Lastly, why rely on subpar solutions that can still cause your server to crash, due to the strain of rendering the wp-login page? How about you implement a solution that almost effortlessly rejects the unwanted advances in the most resource-effective way.
This is all that you need to do to protect yourself from a WordPress brute force attack:
- Identify your IP address (http://www.myipaddress.com/)
- Log into your server via FTP/SFTP or your hosting control panel’s file manager. HostGator’s file manager is below.
- Navigate to your .htaccess file (If it doesn’t exist, create it with a text editor)
- Add this to the beginning (replacing the xxx.xxx.xxx.xxx with your ip):
<files wp-login.php> order deny,allow deny from all allow from xxx.xxx.xxx.xxx </files>
Verify that your wp-login page cannot be accessed from a computer other than the one you are using. To do this, try using your phone or a friend’s computer. We are not claiming that this will protect you from all of the nefarious characters on the internet. This will, however, protect you completely from a WordPress brute force attack. Thanks to James Dunn from wpmu.org for providing much of the guidance.
Last Thursday, April 11th 2013, hundreds of thousands (at least) of website owners across the globe became victims of a sophisticated attempt to gain access to the portions of their webservers controlled by the WordPress Content Management System (CMS). WordPress is installed as a subordinate on the Linux operating system, usually below software used by shared hosting providers to provide control panels. The leading software used is cPanel and Plesk, produced by cPanel, Inc, and Parallels, Inc, respectively. Custom made hosting software is also used by hosting providers. Notable users of each type:
- cPanel: HostGator, Namecheap, WebHostingBuzz, BlueHost, A Small Orange
- Plesk: Hostmysite.com, Media Temple
- Custom-made software (GoDaddy, DreamHost, Endurance International vDeck properties: FatCow, iPage, etc).
Vulnerabilities exist at each level of software installed: server (Linux), hosting provider (cPanel), and CMS (WordPress). I want to mention each level before focusing on the CMS and WordPress brute force attacks. To address only the CMS does a disservice, since a false sense of security can be created by closing every single window in the house if the front door is left open.
Server/Operating System/Hypervisor Vulnerabilities
Protection at this level is absolutely the responsibility of the hosting provider. WordPress users have no ability to control this, and only through picking a hosting provider focused on security can vulnerabilities at the hardware, operating system, and hypervisor be addressed. This equipment and software serves to create the base layer for hosting provider software to run.
Web Hosting Control Panels: cPanel, Plesk, vDeck, Custom
Locking down the control panel may be the responsibility of the hosting provider, or if you are running a VPS or dedicated server, it’s on you. Vulnerabilities do exist at this level, and have been exploited. Thousands of sites were hacked after a Parallels Plesk exploit was utilized – http://krebsonsecurity.com/2012/07/plesk-0day-for-sale-as-thousands-of-sites-hacked. It is common knowledge that no system is impervious, and that as software increases in usage, the benefit to hacking it increases to miscreants. Software exploits, while possibly indicative of poorly written code, are more often a sign that the software has become popular enough to be a target.
Content Management Systems: WordPress, Joomla, Drupal, etc
All content management systems have vulnerabilities. WordPress brute force attacks, however, just come knocking at the front door, again and again. By simply guessing at a website owner’s username and password, the only restricting factor is the speed the website owner’s computer can respond “Yes” or “No” and the speed at which the attacker can make requests.