WordPress sites are under a real attack and whoever, is behind it wants to damage your site. The problem is that most people are not aware of it due to two reasons. First, there is not enough knowledge available on the subject. Second, people cover it with too much jargon or do not provide enough information.
WordPress Security Threat
Hostgator was first to recognize the threat publicly in their post Global WordPress Brute Force Flood, Another great source is a series of posts made by Sucurri’s security team. These posts are how to protect your site, the reality of the attacks, and the consequences of such attacks another post which covers it extensively is Krebs on Security. What happens is that someone uses botnets to subvert your site.
He has two primary goals. That will be discussed further on. Anyway, these botnets try to get into your system and failing that, they try to overwhelm it by creating so many login requests that your server is overloaded. In order to do that, they use many different computers that they have penetrated through different malwares.
All of these computers are trying to guess your password to get into your site. They will try different combos of possible logins and passwords to gain access.
Aim of the attack
It is obvious they want to subvert your site to send spam and use your site for their illegal activities. They can use the botnets to close down the websites and breach the security of secured systems. In short, they want to make using the internet a nightmare. That is why it is imperative that people who are operating these websites should be vigilant against all such efforts.
Danger to your site
You can classify the danger into two categories. First is that they succeed in breaking your password. Obviously, they will be able to enter the site as an administrator. It means that they will be able to execute all kinds of changes to the site and they may even access and damage the server. Second is that they will not be able to enter the site, but they will flood your server with attempts to log in. Causing undue pressure on the server and depending on the package it can cause the host to block your site.
There is always a discernible pattern
Fortunately, there is always a pattern to these attacks and if you are diligent, enough you can discern that pattern and organize your defense accordingly.
Most of these attacks are to login as the admin to the site. If you look at the stats, you will find a vast majority of these attacks are for that particular login. Other logins that botnets try more often after that are moderator and editor. Similarly, you can easily identify a pattern among the passwords that has been successfully breached.
These passwords are admin, 123456, 12312, 1234, admin123, password, root, 12345678789, qwerty, welcome, 1234567, 12345, 1111, 12345678, monkey, i loveyou, dragon, test, pass and demo
You can clearly see that passwords that botnets break easily have a fixed pattern. It usually consists of alphabets or digits that are easy to type. Mix it with the fact that several computers take place in an attack.
One of the site showed that a login request was made from as many as 264 unique IP addresses. You can easily see that it is only a matter of time before they break into your system with hundreds may be even thousands of computers working to guess the combination.
Possible answer to the problem
One of the possible solutions is to use Login Ninja plugin. It is going to restrict the access to an IP from which someone made a failed attempt. However, botnets are using a wide range of IP addresses to mount their attack so this may not work very well. Therefore, you may need another solution.
Create a new username for admin
Your biggest weakness is that you are using admin as your username. It makes it easy for the botnet to predict your username and password. It is usually better to make an entirely new username rather than simply changing the old one. To do that, you will need a new email account. Logout of your account and login as a new user to your website now remove the old admin user by deleting that account.
When you are prompted what to do with all the links and emails of the previous admin use the option, “Attribute all the posts and links to” to attach all of them to your new account, which you can choose from a drop down menu. Once you have done that, you can attach your new email address to this account and use it for everything.
You can also change the password from the database or with the help of plugins who do that. However, there are some scripts that target ID I to hack the website. As usually, ID 1 belongs to admin, it works. Therefore, changing your Id provides extra protection to your account.
Unfortunately, this is the most common mistake people make. Despite constant imploring, they just do not make passwords with sufficient strength. It means that you are always vulnerable to attacks even if you have changed your login from admin. There are many guides available online, which can help you in creating passwords that are easy to remember, but it will be very difficult to break them.
Another thing that you have to guard against is to use the same password for all of your accounts. As soon as one of your accounts is compromised, all of your accounts become vulnerable. Therefore, it is better that you use different passwords for different accounts.
It means that we have to consider four rules for making passwords. First, they should be easy to remember, difficult to break, they should not be too tedious to type in and you should have different passwords for different sites. Experts also add another rule that your passwords should not follow a pattern that someone can guess. However, it is very difficult to follow these rules as if you are using multiple passwords with varying degrees of difficulties. Soon enough you will forget something and you will not be able to use it.
One possible situation is to use LastPass. It is a service that generates very complex and hard to break passwords for you. You can use LastPass to generate different passwords for different sites. It means that you will have to remember just one password that logs you into LastPass and it will remember all other passwords. However, an important thing to remember is that your password should be a very strong one as your slight mistake can compromise all of your accounts. LastPass also offers services for your mobile phones and tablets. Some other products that perform the same service are KeePass, 1Password, Keeper and RoboForm.
Keep your WordPress website performing at its optimum capability
With your website safe now, you have to look for the ways to keep its performance parameters at its peak. If your server is under constant pressure from hundreds even thousands of login requests, it will affect your server’s performance. One possible solution is to seek help from your hosting company. They have some effective techniques to help combat this problem.
In case, the hosting company does not have a solution or you manage your server yourself. You have to ascertain that you have the problem in first place and make an assessment as to how bad it is. To do that you just have to look at the number of login attempts made on your account, which you can use by looking at access logs.
If your hosting company has, no solutions for your problem you can make use CDN service provider CloudFlare. They have listed in detail how they handle such brute force attacks. There is also a CloudFlare plugin available with caching feature. You can use a solution that suits you the best. If you have neither of these options available to you. You have a serious problem as all other solutions involve serious technical understanding of the whole operation.
Another possible solution is to move your website to a host who has the facilities and the willingness to tackle the problem, which you can determine by contacting them and Apprising them of the whole situation.
One solution that almost everyone will recommend is to use ModSecurity rules on Apache to limit the login attempts. However, in order to use this solution you have to be using Apache in the first place. You can also password protect access to the wp-login.phpfile and wp-admin directory. It will mean that any unauthorized person will have no access to the login page hence, protecting your WordPress site from all kinds of malicious attacks.
Another solution is to update the Wp-config.php keys. There are a set of security keys that WordPress uses for recognizing different security descriptors used by WordPress. The problem is that the older versions did not have this feature making them vulnerable to outside influence. Therefore, it is necessary to update them regularly. After each update everyone will have to log in again, which means that problem will be resolved.
Solution to the problem
The only way to ensure that you are safe is to delete everything after creating a backup. Get yourself a fresh copy of WordPress and upload it to your server. Yu should carefully inspect wp-config.php file to make sure that there is no piece of hidden code in it that will compromise your new server. Easiest way to do that is to compare it with sample file in your new WordPress copy only than copy wp-config to your server. Download all of your plugins themes from where you did before.
Make fresh copies, upload them to your site, and check if the site is working. Change all the passwords that different users use as the attacker may have changed passwords. Go one-step further and remove all users you do not know. Make sure that you are using secure passwords and logins that are hard to predict. Final step is to copy your media files from wp/content upload directory. Please do not copy any PHP files, make sure that you are copying only media files.
This will mean lots of hard work, but unfortunately anything short of that may leave some part of infestation and you may regret it later. If you have multiple sites, you have to repeat these steps with all of them or there is no point in the exercise.
Avoid WordPress security problems in future
One simple fact is that one can never be completely secure until WordPress builds some inbuilt security mechanism to protect websites. However, what you can do is make use of the already mentioned Login Lockdown Plugin. Some people worry that it has not been updated in a very long time. Do not worry, it works just fine with all versions of WordPress. It works very well even if you have installed it with multiple sites.
You have to make sure that all of your plugins and themes are current. Also, make sure that you are using the latest version of WordPress as older version can compromise the security of your website. If you have many different websites, you can use either use multisite install or ManageWP to make it easier to manage your websites from one central location.
After you have dealt with security threats to your WordPress site, you should seriously reconsider your logins and passwords to your hosting account as well as email, which you use to set your passwords. If either of these passwords is compromised, all of your work will be for nothing.
One more thing that you should not ignore is the inactive plugins and themes on your website as a security hazard. Instead of leaving, them on the site make a backup and delete them completely from your site.