Check Your WordPress Passwords Now!

There is a well organized global attack on WordPress sites going on that is attempting to crack WordPress passwords by brute force. This means that automated scripts are attempting to log in to any WordPress site they find by trying every combination of passwords they can generate. Given the power of the typical computer these days, this means thousands of attempts per minute. As you might imagine, this puts a tremendous load on the server, especially those with hundreds of WordPress installations which describes most shared hosting servers.

HostGator, which I use and recommend, posted the following article on their blog earlier today with details: http://blog.hostgator.com/2013/04/11/global-wordpress-brute-force-flood/

What Can I Do To Protect My Site?

I’ve installed a plugin called Wordfence on my and my clients’ sites and configured it so that if anyone tries to log in and fails 5 times, they are locked out for an hour. This is very helpful against this type of attack as it’s virtually impossible to guess a password within 5 attempts. That said, however, I’ve noticed over the past several days that I’m getting many more alerts than normal about failed logins and they are coming in bunches of as many as 15 or 20 at a time. This means that WordFence can’t keep up with the barrage of attempts and isn’t able to block the attempts at 5 because they come in so quickly. It still keeps the number of attempts to a statistical minimum in terms of “guessing” a password by brute force, but it still puts an additional load on the server and does increase the odds of cracking the password by a bit.

Keep ‘Em Away From the Login Screen!

A member of a WordPress group I belong to on LinkedIn posted a lockout technique the other day which has turned out to be quite timely. This lockout prevents anyone from accessing the login screen at all unless they are accessing the site from a specific set of IP addresses. In other words, it’s possible to lock out all but a select group of IP addresses.

What The Heck Is An IP Address?

“So, what’s an IP address?” you may be asking. IP stands for Internet Protocol and an IP address is a string of numbers that uniquely identifies your connection to your Internet Service Provider. The number looks something like this: 111.222.333.444 where each group of numbers can be 1, 2 or 3 digits separated by a dot. The Internet routing system understands these numbers as addresses, similar to how the mailman finds your house by the address. Instead of numbers and letters, however, computers prefer numbers, hence the 4-12 digits of an IP address.

Your website has an IP address, even though it’s generally accessed by the domain name, e.g. https://thesmallbusinesswebsiteguy.com. Your connection to the Internet also has an IP address. This is so your computer can communicate with your website and vice-versa. Messages are sent to the respective IP addresses which assures that they will go where they’re intended.

If you have several computers at home all accessing the Internet via a router, as is pretty typical these days, they all have the same IP address to the outside world. The router takes care of sorting out who gets the messages when they arrive from outside. If you open up your browser, go to Google and type in “what is my ip”, you’ll see a screen of results at the top of which will be your IP address where you are at the time. If you’re at home, you’ll see one IP address. At work, you’ll see another (unless you work from home!). Doing the same thing on your phone’s browser will get you a third IP address unless you’re connected wirelessly via your home router.

Why Not Just Block The Bad Guys’ IPs?

Wordfence has the ability to block specific IPs, but trying to permanently block every IP that tries to break into a site is an exercise in futility. The bad guys can change IPs at will so if one gets blocked, they simply try another. According to the HostGator blog post above, they’ve already seen over 90,000 different IPs used in the attacks. In such a case, Wordfence’s permanent blocks are not effective.

So, What Does Work?

The answer is to do the opposite: lock out everyone except a few designated IP addresses.

For most of us, this works very well. We simply need to determine the IP address at every location where we might access our hosting account, then allow those IPs while blocking all others. In my case, I currently have four IP addresses that need access to my sites: my home Internet connection, my cell phone data service, my work site, and a remote work site.

If you would like this block applied to your site, let me know and we’ll review its applicability to your site. If you don’t have a bunch of people who need to log in, such as a membership site, and you only ever access your site from a few specific places, this will work well for you. You’ll still need to have a strong password, but the odds of anyone gaining access to your site by cracking your password will be greatly reduced.

Either way, please check your WordPress passwords now! Hopefully, this attack will be relatively short-lived, but until it is, all WordPress sites are at risk, especially if the passwords are not up to snuff.

John Sawyer