WordPress Security Advisory: Harden Your Admin Login

WordPressThere has been news lately of a distributed attack against WordPress sites. A growing botnet has been running dictionary attacks against sites powered by WordPress, in effort to gain access to the the admin panel and infect the server. As is usually the case with botnets, infected servers are assimilated into the pool of compromised systems that make up the botnet and put to use for nefarious purposes such as DDoS attacks.

It’s important to note that this is not a WordPress security flaw, but rather an attempt to systematically guess passwords.

The attacks consist of simple POST requests to wp-login.php with a supplied username of admin and one of many simple, insecure passwords. I’ve noticed plenty in my logs, including rainydays, sophie1, and wordpress. The requests come from a rotation of IP addresses in the botnet, making it difficult to block them outright.

It’s easy enough to protect yourself from the attacks, providing you follow some simple best practices.

1. Get Rid of the Admin User

Historically, every WordPress installation would come with an administrative user named admin, which was created during the setup process. In more recent versions, the setup screen prompts you to choose your own username instead of providing a default. Check the Users screen in your WordPress backend to see if a user named admin exists. If it does, you should replace it with a profile that has a unique name, ensuring that the new account has administrative privileges.

Having a user account with that default name is a bad idea, because numerous attacks over the years have operated under the assumption that the operators of many WordPress sites will have been too lazy to change it. The current attack only tries passwords for a user named admin, as well, so ensuring that such a user does not exist will go a long way toward protecting your site.

2. Set a Strong Password

What’s the common theme among these passwords?

  • sophie1
  • rainydays
  • roberts
  • online
  • onions

They’re all incredibly simple and insecure, and they’re all ones that were tried right here on Webmaster-Source recently. Obviously you want to avoid passwords like those if you want to avoid being compromised.

For a basic, reasonably strong password, your password should:

  • Be at least eight characters long
  • Have a mixture of upper and lower case letters
  • Contain numbers and non-alphanumeric symbols

An easy way to create something secure and memorable is to pick a phrase that means something to you and use the first letter of each word, mixing up the case and adding some numbers and symbols. For example, “The Wheel of Time turns and Ages come and pass” would become TWoTtaAc&p13. Complex, yet still possible to remember.

Or you could go with the XKCD method and pick four random, unrelated words and use them as your passphrase. (e.g. “double pizza kitten book.”) As the comic explains, such a password can actually be more secure against a brute-force attack, and is far easier to remember than a conventional password.

3. Block the Bots

Install a plugin like Bad Behavior (which will also help cut down on spam comments) or Limit Login Attempts. Both plugins attempt to hinder bot activity, though through different means. Bad Behavior detects suspicious requests and blocks them, optionally using the Project Honeypot database to improve its effectiveness. Limit Login Attempts will block IP addresses if they continually make incorrect login attempts.

4. CloudFlare

CloudFlare is an interesting service that speeds up your site and mitigates security threats by sitting between the user and your server. You update your domain to point to their servers, and they act similarly to a CDN, caching your site and analyzing the incoming traffic. If you’re running off a cheap shared hosting plan, it could make a significant improvement to your loading speed. I don’t use their services personally, but they’ve been instrumental in mitigating DDoS attacks and traffic spikes for some high-profile sites, and they’re on top of the current WordPress threat.

  • http://thecyberwave.com/groups/prada-bags-mass-conversation-courses-739997083/ Garfield

    An outstanding share! I’ve just forwarded this onto a coworker who was conducting a little homework on this. And he in fact bought me dinner because I discovered it for him… lol. So let me reword this…. Thank YOU for the meal!! But yeah, thanks for spending the time to discuss this issue here on your blog.

  • http://genlack.com Steve Lack

    This is a great post and I am forwarding it to my WordPress clients. The funny thing is that all the comments (except this one) seem to be spam!

    Great blog!


    • http://www.webmaster-source.com Matt

      I know, it’s kind of ironic. I haven’t been able to find a pattern to it yet. They’re all from different IPs, and they’re slipping through Akismet and Bad Behavior. It’s just this post, too; it’s getting hammered.