[wp-hackers] Admin Login Brute Force Attacks

Marko Heijnen mailing at markoheijnen.nl
Wed Mar 20 19:33:42 UTC 2013


Hey,

I wouldn't recommend this plugin. You only need it when you don't trust the plugins you are using. For me it would give me fake trust that everything is more safe.
The reasons is that most things aren't needed or fixed in the wrong place. Executable file uploads can't be done or can be fixed by using filters.
Also PHP files in the upload folder shouldn't be executable at all. You can solve that with .htaccess or nginx rules.

You are already doing one thing good and that is limiting the amount of failed logins. You still can force better passwords.
That is also something WordPress by default should do. In my case I'm running a network site and will implement an IP check for all super admin accounts.
But yeah something like that would be for plugins to take care off.

Marko

Op 20 mrt. 2013, om 20:09 heeft Joan Artés <jartes at gmail.com> het volgende geschreven:

> Hi!
> 
> I also recommend the Firewall 2 Plugin (http://wordpress.org/extend/plugins/wordpress-firewall-2/) to avoid sql injection attacks and more. 
> 
> I know that this plugin is not updated since 2010 but it works and does his job (I have installed over 100 sites).
> 
> Regards,
> 
> Joan Artés 
> http://joanartes.com
> 
> El 20/03/2013, a las 19:54, Alex Rayan <alexrayan69 at gmail.com> escribió:
> 
>> Hi Chris,
>> 
>> I'm also managing dozens of Wordpress instances and have "limit login
>> attempts" installed on most of these sites. I also disabled the error
>> message that is displayed on incorrect username / password attempt by
>> default since this message shows specifically what (username or password)
>> was incorrect.
>> With that disabled brute force attacks are pretty useless with a strong
>> username / password combination so one wouldn't need to worry about that.
>> I also have "Activity Monitor" plugin installed that allows you to monitor
>> selectively what activity happened in the backend including login attempts
>> with incorrect passwords and usernames tried.
>> Most of the logs of Activity Monitor show that the first and only username
>> tried in brute force attacks is "admin". And since the error message for
>> incorrect login is disabled, there is no way for the code to know that
>> "admin" username doesn't exist, so the code usually keeps trying to "guess"
>> the password for the username "admin".
>> In short, brute force attacks is a common occurrence, but by disabling the
>> error message we could significantly limit the possibility of "guessing"
>> the right username / password combination.
>> 
>> Best regards,
>> Alex
>> 
>> 
>> On Wed, Mar 20, 2013 at 2:19 PM, Chris Williams <chris at clwill.com> wrote:
>> 
>>> I have about a dozen WP sites that I manage, and recently experienced a
>>> break-in on many of them.  After a bunch of work I located all the hacked
>>> files (virtually every index.php, header.php, footer.php, and functions.php
>>> they could find) along with some cute additions to wp-includes, and cleaned
>>> up the sites.  Was annoying, especially since the attack got the sites
>>> listed on AVG's threat labs for 30 days.  Ugh...  But that's behind me.
>>> 
>>> I rigorously keep them up to date (see other thread) in all but one case
>>> where updates are prevented by dependencies.  Nonetheless, the sites are
>>> under constant attack (lately from one especially tenacious IP address in
>>> Russia) attempting brute force attacks on the admin account.  I believe
>>> this is how access was gained.  Since this attack I have:
>>> 
>>> *   Removed the "admin" account in favor of another username with admin
>>> privs.  Should have done this ages ago, of course
>>> *   Gone with much more robust (and different per site -- doh!) passwords
>>> for the account with admin privs
>>> *   Set the config parameter to remove file editing capability (I believe
>>> this is how the files were changed)
>>> *   Installed the "exploit scanner" plug-in and review it at least weekly
>>> *   Installed the "limit login attempts" plug-in and have it send me
>>> lockout information
>>> 
>>> Since I have taken these measures, the sites have been clean.  Still, the
>>> sites are under attack, and I get daily notices from "limit login attempts"
>>> of IPs being locked out due to repeated attempts to login to "admin".  They
>>> get four tries, after that they get an hour timeout, if they get four hour
>>> timeouts, they are locked out for a day (and I get a notice).  At least one
>>> of my sites sends me a notice every day.  Often from this same IP.  At
>>> least I know they aren't getting more than 16 tries a day :)
>>> 
>>> Of course, I could simply put this IP in the .htaccess file, and I will
>>> likely do that if s/he doesn't give up here soon.  But this has me thinking
>>> about what WP could do in core to improve defense against brute force
>>> attacks against accounts with administrator privileges.
>>> 
>>> I'd like to see WP have as core functionality at least two things:
>>> 
>>> 1.  Limiting of login attempts.  Virtually every system that uses
>>> username/password to control access has some limit on attempts.  They vary
>>> widely, but the approach the "limit login attempts" plugin uses is pretty
>>> good.  I'd like to see this in core.
>>> 2.  Some recording of logins, at the very least "last login date/time"
>>> per user.  So when you are logged in, up there near "Howdy" would be "last
>>> login at: xxx".  If this had been in place, like it is on my bank account
>>> and many other places (that I check every time I log in), I would likely
>>> have noticed the brute force break-in days sooner and limited the damage.
>>> 
>>> As someone on the other thread noted, WP has done a great job of closing
>>> up vulnerabilities, but literally every WP site on the planet (all
>>> 60,000,000 of them) is vulnerable to brute force attacks.  These seem like
>>> small, relatively easy measures to help defend against them.
>>> 
>>> Chris
>>> _______________________________________________
>>> wp-hackers mailing list
>>> wp-hackers at lists.automattic.com
>>> http://lists.automattic.com/mailman/listinfo/wp-hackers
>> _______________________________________________
>> wp-hackers mailing list
>> wp-hackers at lists.automattic.com
>> http://lists.automattic.com/mailman/listinfo/wp-hackers
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers



More information about the wp-hackers mailing list