In recent weeks I have seen repeated hacking attempts on my own and client’s WordPress blogs. The hacking attempts are of the ‘dictionary’ type, where an automated script repeatedly attempts to login to the blog using a new password for each attempt. If the password is weak e.g.’abc’ (or given enough attempts with a stronger password) then eventually the hacker will successfully login to your blog and then can perform whatever actions are allowed for that user role (potentially including redirects to malware sites, or installing other scripts to facilitate hacking/spamming activities).
I’d recommend that anyone responsible for maintaining a WordPress blog should in addition to their usual security processes, follow four steps to protect against this type of attack.
Step 1 – Passwords
Update your password regularly and ensure that it is ‘strong’. Also ensure it doesn’t contain common ‘dictionary’ words. A strong password should be at least 8 characters long (the longer the better), and should contain a mix of upper-case and lower-case letters, as well as numbers and special characters (e.g. comma, asterisk, exclamation marks). Ensure that all your blog users follow this step, especially if they have ‘Administrator’ or ‘Editor’ roles.
Step 2 – Login logging
Check if your blog is currently ‘under attack’. Install a login monitoring plug-in such as Login logger by Stephen Merriman. To install a plug-in, go into your Dashboard (as an administrator), select Plugins menu item, select ‘Add New’, search for ‘login logger’ or a similar phrase, choose a suitable plugin then select ‘Install Now’.
If you installed Login Logger, then you will now have a new option in the Users menu ‘Login Logs’. If you check this option regularly then you will see a list of failed logins. Repeated attempts within a short time period particularly with the username ‘admin’ may indicate a hacking attempt.
Step 3 – Protect login page
Protect your login form (wp-login.php) from unlimited login attempts and/or add a ‘captcha’.
The standard WordPress package does not limit the number of login attempts in any way. I would recommend that you install a plugin which limits login attempts to say 3 attempts before blocking further attempts for a given time period. One plugin which is quite simple to set up and use is Limit Login Attempts by Johan Eenfeldt.
After installing the plugin, go to Settings then select ‘Limit Login Attempts’ to configure settings and to view or reset the current block lists. The values you use depend on how your blog is used, if you are a sole administrator/user then you can be aggressive with the settings and only allow one login attempt with a lockout period of 24 hours or more! Don’t annoy genuine users if you have a multi-user blog though… And don’t lock yourself out, although you can reset your lockout if you can login from a different IP address (e.g. smartphone over a 3G connection).
As well as limiting logins, you might decide to add a captcha to the login form. A captcha is an image displaying a word or phrase which the user then has to type in correctly to continue. Search for ‘captcha’ in the Add New plugin screen. There are lot of choices but I don’t use a captcha currently so cannot recommend a specific plugin.
Step 4 – Remove author lists
An optional step… Although most hacking attempts will target the ‘admin’ login name, some more sophisticated attempts are actually downloading your list of users and then performing the same attacks on each username in the list.
Some blogs publish author lists, and many blogs will have ‘Posted by username’ on each post. This information is thus publicly available for all, including hackers. But even on blogs where author links have been removed from the pages and posts, the information is still available unfortunately. Try going to your blog homepage, and then add the following to the end of the URL:
?author=1 (for example, http://www.example.com?author=1).
On most WordPress blogs, the ‘admin’ author archive page will be displayed. This can be repeated for other users simply by cycling through the number series e.g. author=2, author=3 and so on.
If you wish to prevent author information being displayed and you don’t use ‘posted by’ style links in your pages/posts, then you can edit your theme’s functions.php file (get a programmer to do this if you are not familiar with PHP!).
Add the following:
add_action( 'parse_query', '_404_author_pages' );
function _404_author_pages( $query ) {
if ( is_author() ) $query->set_404();
}
This will now return a ‘page not found’ page if you try to access an author archive page. Again, only do this if you have removed all links to author pages and do not wish them to be displayed at all. You might need to edit your sitemaps, feeds and other items as well.
Excellent advice, I’ve implemented the above instructions and hope now the security risk is now reduced. Thanks