If you follow me on Twitter of Instagram (and if you don’t, why not?!), you would have to be pretty much blind to not have seen me banging on about the events in the last two or so days.
I had all these grandiose plans for this week. I was going to schedule things, take pretty pictures for Instagram, send emails to people I met during the weekend, and just general improvement of this little space of mine. But all of that came to a screeching, painful, howling stop when I woke up on Monday morning.
Every Monday, I’ll wake up to about 50 emails in my inbox, all from various uncles in Kenya offering me inheritances and kind drug companies telling me how to lengthen my member. As much as I appreciate these offers, I tend to just delete them. Because, you know, I’m not stupid. But Monday morning was unlike all other mornings. I woke up to 200-odd emails in my non-spam email account.
At first I thought that something had gone wrong with the plugins in my wordpress setup, as all the emails were from one particular plugin and titled exactly the same. Maybe there was a glitch somewhere that forced it to send emails on a bulk basis.
Sadly, this wasn’t the case.
What really happened is a bot had decided to latch onto my wordpress install and was determined to break the password so they could gain access to my hugely popular (HA!) blog. I had hundreds of hits from hundreds of IP addresses, attempting to log on to my site using admin rights.
Luckily, I’m a paranoid person and already ran two security plugins (WordFence and iThemes), both of which blocked the IPs as per my settings or things could have been worse. You see, between the hours of 1.30am and 11am, I was averaging 1.25 lockouts per minute. With my settings as they were this meant that each minute, my admin login page was hit with 6 attempts of a password. At the 5th try, iThemes would block the IP address this attempt came from, and they’d move onto another one and try again. And again. And again. Between 11 am and 12 noon, the frequency was a lockout every five minutes, and by 9pm it had slowed down to about one every half an hour.
As I’m writing this on a Tuesday, it’s been two hours since the last lockout and things seem to have calmed down. But I am mentally exhausted. Throughout this thing, I felt so alone. Like, SO alone. I pay for my hosting, and reached out for their help. This is one of the major hosting providers in the UK and they came highly recommended. Their advice? “Your plugin blocks the requests already”. I kept on hitting them with emails and they came back with useless answers that I’d already told them I was using. This went on for hours until there clearly had been a shift change at the support centre and I got another tech guy who immediately pinged back something that slowed everything down.
So, what do we learn from this?
Make sure to change your administrator username
The wordpress defaults to ‘admin’. Back in the early days of my blog, I left it as it was. Looking at the logs from this attack, they continuously hit the login page with ‘admin’ as the username. Another popular one was ‘Ordinality’ and ‘ ‘. So don’t leave it blank, don’t use your blog/site name and don’t use admin. Come up with something original. Besides, user bios are more fun that way!
Run security software/plugin on your site
I have both Wordfence and iThemes running, but I’m currently adding Cloudflare onto this. Without a security plugin, the bots would’ve been able to just use one IP to push through as many logins as they wanted to.
Set maximum attempts for logins until an IP gets locked out, and check your dashboard every time you log in!
Use long passwords
Brute Force works by bots using random combinations of digits to try to “guess” a password. As per the name, this isn’t a delicate procedure where someone sits by the computer, looks at the pictures on your blog and then guesses your password as “fluffybunniesarethebest”. A bot will run a script and it will try all kinds of combinations until it finds the right one. The more characters in your password, the longer it takes and the more possible combinations there are. So “fluffybunniesarethebest” is infinitely better than “bunnies”, but still not as good as “FluFFybUnn135ARetHeBest!”
Are there mathletes out there who can calculate the permutations of this? I could never grasp it…
Hide your backend page
Bots will hit a website randomly and find your wp-admin/wp-login page. If you use a plugin to hide this (I have Protect WP-Admin), this generates a new site for you to login from. If you use a unique name like http://example.com/fluffybunnies, it’s less likely that a random bot is going to find it.
Hide the reason for refusal
Don’t know about you, but I forget what username/email address and password I use for various sites. Sometimes I go in and try to log in using one username, and up pops an error code of “username does not exist”. Well, if someone is trying to hack your site, these little hints are just that – hints that they are using the incorrect usernames. In your security plugin (see above), you can actually choose to hide this, or create a custom error code. For me, if someone tries to log in using the wrong details, it comes up with a simple “nu-uh”. It doesn’t tell them whether the username or the password was incorrect and makes it ever-so-slightly more difficult to break.
Use Clef (or Captcha)
The thing with bots is that the less sophisticated ones can’t read images. There are bots out there that can, but if you combine a captcha login with all the other tips here, you are more protected. It does affect the user experience slightly, but if it’s just you logging in, the inconvenience does not outweigh the benefit in my mind. For me, I decided to go with Clef. This is a plugin/app combo where the login form is hidden, and instead you get a script/gif thing running waves on the login page. You log in your app and match the waves showing on your phone screen through your camera to the waves on your login page and that’s it. They’ll let you customise a “getout” page where you can still log in should you lose your phone etc., but a regular login requires whoever’s logging in to have your phone.
Disable XML-RPC
To my surprise, a lot of the login attempts didn’t come from wp-admin or wp-login, but from xmlrpc. I didn’t really think much of it, but then I read an article that that’s a backend to your site. The newer versions of WordPress enable this as a standard, but you can get a plugin that disables it. There are some plugins that do use it though, so check before you disable or you might break things! My plugin is called simply ‘Disable xml-rpc’
Don’t use the host I do.
Once my sub has ran out, I will be moving over to Krystal.
Don’t use proxy/VPN servers like Hola
Just because you don’t run a site doesn’t mean that you won’t be used & abused. This particular attack was routed through hundreds of countries and hundreds of IP addresses. Bots get access to your network through insecure apps like this.
Trust UK Bloggers.
Through this thing, the only helpful suggestions I got were from the UK Bloggers Facebook. They know what they’re on about!
It’s now been three hours, no lockouts. Maybe it’s done?
*edit: another lockout just now.
What an absolute nightmare for you, I’ve had situations where I’ve had people try and get into my blog but not as bad as this. I’m going to save your post so I can check out some of the things you’ve recommended xx
Omg this sounds so scary I’m glad that nothing happend to your blog, I was aware of this before I started mine and downloaded protecting apps against boots on WordPress. I actually have Hola activated so I need to delete it ASAP! I had no idea about this thanks for the tip!
This sounds like a nightmare! Someone hacked into my blog once and I had to pay for someone to sort it out.
This keeps happening to me! I have a SUPER long random password. I have Word fence but deffo going to do the suggestions you suggested!
OMG you poor thing that must be a night mare for you. I found the info very interesting although some did go a bit over my head. Might be an idea to read it again when I get over the flu.
I swear, after I spoke to you the other day, I started feeling a tickle in my throat. This cold I have now? I’m blaming you. 😀
Sounds like a nightmare! I love the UK blogger group! they’re always so helpful! I am glad it has calmed down now!
They’re just fab aren’t they?! It’s nice to have support from your fellow bloggers!
Oh what a nightmare. I never knew you could hide the backend page, will look at that app x
I didn’t know either! UK Bloggers to the rescue!
I would DIE if this happened to me. What a nightmare 🙁
Thanks for this hun
Charlotte x
It… wasn’t fun, to say the least! But hey, we’re nearly there!
Oh my this is scary. I hope it is sorted now.
I’m still getting 1 lockout/day, but it beats 1/minute! Hopefully they’ll give up soon.
Gosh, so much useful information- thank you! This is defo stuff that nightmares are made of, i’m literally going to install those plug ins now!
#safetyfirst! Glad you found it useful!
o this is a quite scary, very helpful advice here, I am going to make sure mine is 100% now
If I prevent 1 blogger from experiencing this, my work here is done!
This is pretty scary! Thanks for putting together all the advice. I don’t think I have any security… I’ll get onto it right now!
To quote Jerry Kyle; “put something on the end of it!”
Prevention is better than the cure!
Oh my god, what a terrifying thing to wake up to. Gonna go check all my site now to make sure its as tight as can be!
Do make sure it’s tight; you never know what might happen. Hopefully nothing, but better safe than sorry!
OMG this scares me so much as I wouldnt have a clue what to do even with help!!! xxx
You’d quickly learn it though; I did. Hopefully you’ll never need to though!
This is an absolute nightmare! I hate it when I get this sort of unplanned hassle and hope it never happens to me.
It’s such an annoyance! Fingers crossed I’m over the hump of it now!
I’ve had this too, and been locked out of my own site when I’ve tried to get in – it’s just so frustrating.
Oh no, what a nightmare! I’m still getting 1 lockout/day, but luckily they haven’t managed to gain access yet; like, how do you even get back control?!
Oh gosh! This is dreadful! I wouldn’t have known what to do so I am so glad you have shared this! Great advice!
It was scary, but hopefully my misfortune will help someone else!
Oh my gosh, what a nightmare!!! I have never heard of this happening. I will definitely be taking your tips to prevent it in the future.
xo Anna Elizabeth
http://www.annaelizabethevents.com
It’s scary that I didn’t know really anything about attacks on sites before I got attacked! Keep yourself safe!
Sounds a scary experience. A really helpful post but makes us wary about going self hosted now. I’m sure with the correct plugins -like Wordfence it can help, but a little bit of host support would have been good too!
Being self-hosted ism’t a piece of cake (apparently you need to know.. things?), but when you find that perfect host for you, it should be so smooth!
I got hacked pretty quickly after I moved over to WordPress, and it cost me £200 to pay a tech person to fix it. Now, I keep her on the payroll and my blog is protected through the Sucuri Firewall. It makes my life easier knowing I’m fully protected and, heaven forbid, if something should go wrong, they’d fix it immediately. Well worth looking into.
ohhh ouch! Lucky for me, they never got in; can’t imagine what I would’ve done if they had! I had Sucuri for a bit, but it didn’t quite work the way I wanted it to. I’m too grippy to pay, so that’s probably why! 😀
What a nightmare! I really need to ensure my site is properly secure so it doesn’t happen to me either x
I know, right? Security is one of the last things I thought about, but I’m glad I did think of it at some point!
Wow I read this with dread and fascination! I am not overly computer literate and I am not sure if my blog has any of these plug ins or not! I guess I need someone to have a proper look at it to ensure I am safe and secure x
it was so scary and annoying at the same time! I’m not too great with the backend of blogging, and this whole thing was a huge learning curve. Better late than never I suppose!
Oh my goodness, I’ve never really heard of anything like this before. I’ll definitely be installing some protection plug-ins now, thanks for the helpful post x
Definitely have something running; you never know what might happen!
I’d be so worried if this has happened to me. Some great tips to stop your site going under attack x
it scared the bejeebus out of me at first, but then it was just annoying. Hopefully the tips help someone else!
My wordfence from day dot on one of my blogs won’t update. I haven’t really thought about security but I definitely will do now. It’s terrifying to think my blog might be insecure now I have gone self-hosted! Thanks for the tips. I may ask my bro to look in to it x
have you tried iThemes? Wordfence can be a bit of a hit&miss for me for blocking IP’s – I have it running checking changes to files and iThemes for preventing false logins.
This is so helpful for those who may suffer a similar fate – I saw your posts on social media and I’m glad you managed to get it sorted
I’m so glad too – it was so irritating! Hopefully someone will be able to take something of value from this post!
I am so so pleased you got this sorted and what an awesome thing to do to write this post – you should add it to the FAQ in UK Bloggers 😉
it was such a ‘mare, but I’m nearly 24 hours and no attempts, so fingers crossed! I might just try and do that 😀 – I had no idea about half of these things before this started,and I’m sure some others are the same!
I’ve never been hacked or anything and honestly I would panic if it happened! That must feel so wrong!
it feels like such a violation!
this is such a nightmare when it happens. it happened to a friends blog a while ago and he’s really cautious now
it’s amazing how many people get done with this!
What a nightmare I’d not have a clue on what to do in your situation. I’m not really good at the technical side of blogging.
Neither was I, but I had to learn so much! 🙁
AH what a nightmare, I know this happens with self hosted spaces which is a shame because you don’t want to feel as if all your work is going to be gone and taken over. Good thing to back up frequently.
Backing up is such an excellent point! My host supposedly does it for me, but I haven’t checked; good thing you reminded me!