[wp-hackers] Admin Login Brute Force Attacks

madalin niladam at gmail.com
Wed Mar 20 18:49:40 UTC 2013 

+1


On Wed, Mar 20, 2013 at 8:19 PM, Chris Williams <chris at clwill.com> wrote:

> I have about a dozen WP sites that I manage, and recently experienced a
> break-in on many of them.  After a bunch of work I located all the hacked
> files (virtually every index.php, header.php, footer.php, and functions.php
> they could find) along with some cute additions to wp-includes, and cleaned
> up the sites.  Was annoying, especially since the attack got the sites
> listed on AVG's threat labs for 30 days.  Ugh...  But that's behind me.
>
> I rigorously keep them up to date (see other thread) in all but one case
> where updates are prevented by dependencies.  Nonetheless, the sites are
> under constant attack (lately from one especially tenacious IP address in
> Russia) attempting brute force attacks on the admin account.  I believe
> this is how access was gained.  Since this attack I have:
>
>  *   Removed the "admin" account in favor of another username with admin
> privs.  Should have done this ages ago, of course
>  *   Gone with much more robust (and different per site -- doh!) passwords
> for the account with admin privs
>  *   Set the config parameter to remove file editing capability (I believe
> this is how the files were changed)
>  *   Installed the "exploit scanner" plug-in and review it at least weekly
>  *   Installed the "limit login attempts" plug-in and have it send me
> lockout information
>
> Since I have taken these measures, the sites have been clean.  Still, the
> sites are under attack, and I get daily notices from "limit login attempts"
> of IPs being locked out due to repeated attempts to login to "admin".  They
> get four tries, after that they get an hour timeout, if they get four hour
> timeouts, they are locked out for a day (and I get a notice).  At least one
> of my sites sends me a notice every day.  Often from this same IP.  At
> least I know they aren't getting more than 16 tries a day :)
>
> Of course, I could simply put this IP in the .htaccess file, and I will
> likely do that if s/he doesn't give up here soon.  But this has me thinking
> about what WP could do in core to improve defense against brute force
> attacks against accounts with administrator privileges.
>
> I'd like to see WP have as core functionality at least two things:
>
>  1.  Limiting of login attempts.  Virtually every system that uses
> username/password to control access has some limit on attempts.  They vary
> widely, but the approach the "limit login attempts" plugin uses is pretty
> good.  I'd like to see this in core.
>  2.  Some recording of logins, at the very least "last login date/time"
> per user.  So when you are logged in, up there near "Howdy" would be "last
> login at: xxx".  If this had been in place, like it is on my bank account
> and many other places (that I check every time I log in), I would likely
> have noticed the brute force break-in days sooner and limited the damage.
>
> As someone on the other thread noted, WP has done a great job of closing
> up vulnerabilities, but literally every WP site on the planet (all
> 60,000,000 of them) is vulnerable to brute force attacks.  These seem like
> small, relatively easy measures to help defend against them.
>
> Chris
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>



-- 
Cu drag,
madalin
http://madalin.eu

More information about the wp-hackers mailing list