Did you know that hackers may be trying to consume your server bandwidth and CPU resources at this very moment if you have a WordPress powered website?
Do you have any mechanism to know that someone is trying to get into your website? Do you have any protection mechanism enabled?
You Might Have Heard Of BruteForce Attacks
A large botnet of more than 90,000 compromised servers has been attempting to break into WordPress websites (randomly) by continually trying to get into the WordPress admin dashboard using the default “admin” username and guessing passwords.
This isn’t an old story. InMotion reported about these brute force attacks on 17th July 2014 and a couple of websites on Krishna World Wide Hosting servers came under attack in the last two days as well.
Your Username And Password Might Be Strong
if you have been using WordPress for some time, you should know by now that “admin,” as a username, is very poor website security. In fact, some web hosts require you to remove that username to comply with their security policies.
However, the problem is, even if these botnet attackers may not be able to get into your website, just by continuously trying to login, they can consume all your bandwidth and possibly bring down your server.
Know If Anyone Tries To Hack Into Your WP-ADMIN
There are many good WordPress plugins that notify you when someone is continuously trying to hack into your WordPress administration. They also perform other security checks on your site.
Since Sucuri is actively scanning and protecting all websites hosted at Krishna World Wide servers, I only use Limit Login Attempts to get notified when somebody is repeatedly trying to guess a username and/or password for my websites.
If you are not using the premium services of Sucuri, you might want to use one of these top WordPress security plugins as I list them for your reference here:
- iThemes Security (formerly Better WP Security.)
- Wordfence Security
These are some of the most widely used and admired WordPress plugins loaded with features essential to protect your website against several vulnerabilities.
Lock Down Your WP-ADMIN Access In Two Steps
Limit login attempts is a great way to notify you if someone is trying to get into your WordPress administration continuously for a specific number of times. You can set it up to send you an email when that happens.
Well, this is how I found out that I was under attack. I received about 30 emails within six hours from my server. I knew that it was a brute force attack since the IP address was different after each lockout.
Now, this is one thing one thing that I knew I will need to address one day. I had known about it for some time, but I was waiting for something like this to happen before I act. Usually, I am not big on adding new plugins to my WordPress.
But, it was time to act and so here is what I did and step # 1 towards tightening my WordPress security.
Step 1 – Hide WP-ADMIN From Public View
WordPress’ default login URL is /wp-login.php (or you can just type in /wp-admin/ and it’ll redirect you there if not yet logged in). For example, you could just enter: http://www.example.com/wp-login.php and a login screen will render.
The trouble is, it is a standard WordPress login screen and hackers try to get access to your WordPress administration area by invoking this default PHP file.
So, the first thing I did was to install a small free plugin called Lockdown WP Admin which allows you to conceal the WordPress administration and login screen from intruders. It can hide WordPress Admin (/wp-admin/) and and login (/wp-login.php).
The plugin also allows you to change the wp-login.php URL without touching WordPress code. This is an excellent way to block hackers and brute force spammers from getting access to your login screens.
Step 2 – Disable XML-RPC Access On Your WordPress Website
The “failed login attempts” emails didn’t stop, even after hiding my wp-admin URL. Initially, it seemed strange. But, after investigating the problem, I found out that hackers have gone to the next level.
They are not just trying to access your /wp-login.php file. If that doesn’t seem to work for them, they turn towards XML-RPC based access. They kept pounding my server with failed attempts through XML-RPC this time.
It is interesting to know that most of us DO NOT publish anything remote. Most of us have no use of the XML-RPC option. If you are using an iPhone. as I do, or other smart phones to access your WordPress administration, you probably have some use of XML-RPC. But, is that much flexibility worth the risk of being hacked? I don’t think so!
WordPress, used to have an option in the settings area to enable or disable XML-RPC. Version 3.5 onwards, they removed that option and now, XML-RPC is enabled by default for every WordPress installation.
I decided to disable XML-RPC on my websites because I wanted the brute force attacks to stop. So, I installed another small WordPress plugin called Disable XML-RPC. All I had to do was to activate the plugin and XML-RPC were instantly disabled.
Yes, I could not access WordPress administration from my iPhone anymore. But, I have not received a single “Failed login attempts” email on any of my websites since then.
Conclusion
Strong passwords, custom table names, removal of WordPress and server footprints are important aspects of locking down your WordPress from unauthorized access.
However, to protect yourself from brute force attacks, hiding your WP-ADMIN, changing the URL for /wp-login.php to something else, and disabling of XML-RPC on your WordPress installation is equally important.
Your Turn To Share – Any Better Ideas?
If you have faced brute force attacks on any of your WordPress websites, how did you got it stopped? Do you have any better ideas on XML-RPC? Can it be locked down for unauthorized access without disabling it?
If you have any experience on this subject, please share your thoughts and add value to this post. Thank you kindly!