If you follow me on Twitter of Instagram (and if you don’t, why not?!), you would have to be pretty much blind to not have seen me banging on about the events in the last two or so days.
I had all these grandiose plans for this week. I was going to schedule things, take pretty pictures for Instagram, send emails to people I met during the weekend, and just general improvement of this little space of mine. But all of that came to a screeching, painful, howling stop when I woke up on Monday morning.
Every Monday, I’ll wake up to about 50 emails in my inbox, all from various uncles in Kenya offering me inheritances and kind drug companies telling me how to lengthen my member. As much as I appreciate these offers, I tend to just delete them. Because, you know, I’m not stupid. But Monday morning was unlike all other mornings. I woke up to 200-odd emails in my non-spam email account.
At first I thought that something had gone wrong with the plugins in my wordpress setup, as all the emails were from one particular plugin and titled exactly the same. Maybe there was a glitch somewhere that forced it to send emails on a bulk basis.
Sadly, this wasn’t the case.
What really happened is a bot had decided to latch onto my wordpress install and was determined to break the password so they could gain access to my hugely popular (HA!) blog. I had hundreds of hits from hundreds of IP addresses, attempting to log on to my site using admin rights.
Luckily, I’m a paranoid person and already ran two security plugins (WordFence and iThemes), both of which blocked the IPs as per my settings or things could have been worse. You see, between the hours of 1.30am and 11am, I was averaging 1.25 lockouts per minute. With my settings as they were this meant that each minute, my admin login page was hit with 6 attempts of a password. At the 5th try, iThemes would block the IP address this attempt came from, and they’d move onto another one and try again. And again. And again. Between 11 am and 12 noon, the frequency was a lockout every five minutes, and by 9pm it had slowed down to about one every half an hour.
As I’m writing this on a Tuesday, it’s been two hours since the last lockout and things seem to have calmed down. But I am mentally exhausted. Throughout this thing, I felt so alone. Like, SO alone. I pay for my hosting, and reached out for their help. This is one of the major hosting providers in the UK and they came highly recommended. Their advice? “Your plugin blocks the requests already”. I kept on hitting them with emails and they came back with useless answers that I’d already told them I was using. This went on for hours until there clearly had been a shift change at the support centre and I got another tech guy who immediately pinged back something that slowed everything down.
So, what do we learn from this?
Make sure to change your administrator username
The wordpress defaults to ‘admin’. Back in the early days of my blog, I left it as it was. Looking at the logs from this attack, they continuously hit the login page with ‘admin’ as the username. Another popular one was ‘Ordinality’ and ‘ ‘. So don’t leave it blank, don’t use your blog/site name and don’t use admin. Come up with something original. Besides, user bios are more fun that way!
Run security software/plugin on your site
I have both Wordfence and iThemes running, but I’m currently adding Cloudflare onto this. Without a security plugin, the bots would’ve been able to just use one IP to push through as many logins as they wanted to.
Set maximum attempts for logins until an IP gets locked out, and check your dashboard every time you log in!
Use long passwords
Brute Force works by bots using random combinations of digits to try to “guess” a password. As per the name, this isn’t a delicate procedure where someone sits by the computer, looks at the pictures on your blog and then guesses your password as “fluffybunniesarethebest”. A bot will run a script and it will try all kinds of combinations until it finds the right one. The more characters in your password, the longer it takes and the more possible combinations there are. So “fluffybunniesarethebest” is infinitely better than “bunnies”, but still not as good as “FluFFybUnn135ARetHeBest!”
Are there mathletes out there who can calculate the permutations of this? I could never grasp it…
Hide your backend page
Bots will hit a website randomly and find your wp-admin/wp-login page. If you use a plugin to hide this (I have Protect WP-Admin), this generates a new site for you to login from. If you use a unique name like http://example.com/fluffybunnies, it’s less likely that a random bot is going to find it.
Hide the reason for refusal
Don’t know about you, but I forget what username/email address and password I use for various sites. Sometimes I go in and try to log in using one username, and up pops an error code of “username does not exist”. Well, if someone is trying to hack your site, these little hints are just that – hints that they are using the incorrect usernames. In your security plugin (see above), you can actually choose to hide this, or create a custom error code. For me, if someone tries to log in using the wrong details, it comes up with a simple “nu-uh”. It doesn’t tell them whether the username or the password was incorrect and makes it ever-so-slightly more difficult to break.
Use Clef (or Captcha)
The thing with bots is that the less sophisticated ones can’t read images. There are bots out there that can, but if you combine a captcha login with all the other tips here, you are more protected. It does affect the user experience slightly, but if it’s just you logging in, the inconvenience does not outweigh the benefit in my mind. For me, I decided to go with Clef. This is a plugin/app combo where the login form is hidden, and instead you get a script/gif thing running waves on the login page. You log in your app and match the waves showing on your phone screen through your camera to the waves on your login page and that’s it. They’ll let you customise a “getout” page where you can still log in should you lose your phone etc., but a regular login requires whoever’s logging in to have your phone.
To my surprise, a lot of the login attempts didn’t come from wp-admin or wp-login, but from xmlrpc. I didn’t really think much of it, but then I read an article that that’s a backend to your site. The newer versions of WordPress enable this as a standard, but you can get a plugin that disables it. There are some plugins that do use it though, so check before you disable or you might break things! My plugin is called simply ‘Disable xml-rpc’
Don’t use the host I do.
Once my sub has ran out, I will be moving over to Krystal.
Don’t use proxy/VPN servers like Hola
Just because you don’t run a site doesn’t mean that you won’t be used & abused. This particular attack was routed through hundreds of countries and hundreds of IP addresses. Bots get access to your network through insecure apps like this.
Trust UK Bloggers.
Through this thing, the only helpful suggestions I got were from the UK Bloggers Facebook. They know what they’re on about!
It’s now been three hours, no lockouts. Maybe it’s done?
*edit: another lockout just now.