Your WordPress site is under attack!?!?!? SOLVED!

Is your wordpress site constantly subject to brute force attempts to access it?

Would you even know if it is?

These things are often silent as attempting to brute force your password and access your worpdress site is effectively ‘normal’ behaviour and there is no straightforward way to detect it.

Given that WordPress powers c. 30% of the internet there is no shortage of attackers using automated tools to try to access your site. Once they have access they can do any number of things… lock you out, post malicious content, change the links on your site to send visitors to malware, send spam, host crypto mining software, …

So gaining access to your site is very valuable to them. It WILL make them money.

I can therefore guarantee you that there are people trying to break into your site. You just might not know it yet.

For example, using the  plugin below, I get notified of attempted attacks almost daily. And once they’ve started the same IP address won’t stop attacking until it has been blocked for a significant amount of time.

So how do we detect it and fix it???

1. Limit Login Attempts

The best plugin I’ve found to help detect and somewhat mitigate brute force access attempts is the Limit Login Attempts plugin.
[I have absolutely no connection with the creator – I’ve just tried a lot of them and this is the simplest and best one I’ve found!]

Firstly this plugin detects anyone trying to login multiple times in a short period of time from the same IP address. It will notify you of these attempts if you want.

It can then easily be configured to lockout anyone who has tried unsuccessfully to login. The lockouts are highly configurable and you can define how long that IP address is blocked for (you may not want to block indefinitely in case you accidentally try the wrong password multiple times – don’t want to get yourself blocked from your own website!).

2. Google Authenticator

You should also use a 2 factor authentication plugin. Google Authenticator is the most well known tool for this but there are others e.g. Authy, LastPass Authenticator, …
And there are many plugins for WordPress which will allow you to set these up on your site.

I use this one. Note that you actually configure it from within the ‘Users’ menu, it does not have it’s own settings page.

This means that when you log in you’ll need your username, password, and your authenticator app. So even if the attacker guesses your password they won’t be able to get access since they don’t have your authentication code.

3. Change File Permissions

If you have SSH access to your WordPress host you can change the file permissions on the wp-login.php file. This will stop ANYONE from logging in by blocking access to the login page completely.

It will even stop you from logging in. So if you want to login you’ll need to change the file permissions back.

I do use this technique too but only when I know I’ll not be posting anything for a while.

To block access to your login page SSH into your wordpress site and run:
chmod 600 wp-login.php

To regain access, run:
chmod 644 wp-login.php

 

3 Comments

Leave a Reply

(email optional)