[webarch-wp] Brute force attacks on WordPress sites
Chris Croome
chris at webarchitects.co.uk
Sat Nov 8 16:13:06 GMT 2014
Hi
There are huge numbers of brute force attacks on WordPress sites --
attempts to guess admin passwords -- happening against sites we are
hosting every day.
To reduce the chance of your sites being compromised could everybody
please:
- Make sure you use good passwords
https://codex.wordpress.org/Brute_Force_Attacks#Good_Passwords
- Install a plugin to limit the rate at which these attacks can be run
https://codex.wordpress.org/Brute_Force_Attacks#Plugins
There are 10 suggested plugins at the URL above and I'd suggest every
site should at least have one of these 5 plugins installed and
configured to rate limit brute force attacks:
1. Brute Force Login Protection
This writes to your .htaccess file however there are reports of it
failing when servers are under high load, this shouldn't be an issue with
our servers and the developer is working on a solution, but create
a backup of your .htaccess file and revert to it if your site
starts displaying server errors
https://wordpress.org/plugins/brute-force-login-protection/description/
2. BruteProtect
This is used to track every failed login attempt across all installed
users of the plugin and it blocks that IP across the entire
BruteProtect network
https://wordpress.org/plugins/bruteprotect/
3. WP fail2ban
This is an ideal solution for virtual servers, we might
also support it on some shared servers at some point.
https://wordpress.org/plugins/wp-fail2ban/
4. All In One WP Security & Firewall
Lots of options, some which have the potential to break your site, if
in doubt only enable the brute force login attack prevention feature
https://wordpress.org/plugins/all-in-one-wp-security-and-firewall/
5. WordFence Security
Lots of features (don't install this if you want something simple)
including two factor authentication with the Premium (paid for)
version
https://wordpress.org/plugins/wordfence/
- Consider asking us to set up your site to use HTTPS to ensure your
passwords are not transmitted unencrypted (and thus available to
anyone eaves dropping on your connection). Prices here:
- https://www.webarch.net/certs#certs
- Consider deploying some security by obscurity via these plugins:
1. Rename wp-login.php
Simple security by obscurity to change the login URL
https://wordpress.org/plugins/rename-wp-login/
2. Enforce Strong Password
Forces all users to have a strong password when they're changing it on
their profile page
https://wordpress.org/plugins/enforce-strong-password/
3. Admin renamer extended
Use this if your admin username is "admin"
https://wordpress.org/plugins/admin-renamer-extended/
4. Lockdown WP Admin
Security by obscurity by moving the admin URL also option to add
HTTPAuthentication
https://wordpress.org/plugins/lockdown-wp-admin/
5. Security-protection
Uses Javascript to make it harder for bots to login
https://wordpress.org/plugins/security-protection/
All the best
Chris
--
Webarchitects Co-operative
http://webarchitects.coop/
+44 114 276 9709
@webarchcoop
More information about the webarch-wp
mailing list