This post explores one easy way to hardened a WordPress site from possible exploitation.
In order to make changes to a WordPress site, a user must first be able to log into the site. Without the ability to login, no changes can be made to the site.
Why there is a vulnerability
Currently, out of the box, WordPress has no limitations on the number of password attempts allowed to login to a site. You may think, “big whoopee, who is going to take the time to type in all those different password attempts?”
Well, the answer is no one in their right mind would do that. Hackers/crackers are, fortunately, in the right mind. Unfortunately, not to be political or anything, they are in their far right mind.
If they are trying to get into your site, they are not going to type in a bunch of passwords and hope one matches, they are going to automate the process. They are going to run a program that will likely be able to try 10’s to 100’s of attempts a second. If they find a password that works, Bingo! they’re in. They can now make changes to your site.
Theory to beat this vulnerability
What if there would be a way to limit the number of attempts? After so many attempts from a certain computer, that computer would be locked out from making more attempts. This would foil automated attacks on your site.
From Theory to Practice-Limit Login Attempts Plugin
The WordPress Plugin, Limit Login Attempts, http://wordpress.org/extend/plugins/limit-login-attempts/, will carry out such limitations. Limit Login Attempts does among the following:
- Locks out an IP address after a set number of failures.
- Keeps them locked out for a set period of time.
- After 4 login failure cycles, that IP address is locked out for a longer set period of time.
- Tracks the total number of login failures.
- Make allowances for direct connections or from behind a reserve proxy. I discuss this further in the Settings section.
- Will also block login attempts using cookies. I discuss this further in the Settings section.
- In the login window, will notify the user the number of login attempts left.
- Notify user if they have been locked out.
- The option to log failed IP addresses and email for locked out Ip addresses.
A Look at Settings for Limit Login Attempts Plugin
This is setting screen for the Limit Login Attempts Plugin. Its can be found in Settings Tool in the Dashboard when logged in as an administrator. Here is what it looks like.
I am going to run down the different options and offer my suggestions.
Total Lockouts– This keeps a watch on the total number of lockout since the last refresh. Clear this at any time.
Allowed retries– This is the most important and least important field at the same time. As long as there is a value here, this site will no longer be easy to hack/crack. For that reason, automated attacks will stop. They will move onto easier targets. I would suggest a value less than five. I am a horrible keyboarder and still I can make my fingers crawl on the keyboard well enough to get my password by the third time. Additionally, on the first lock, the user will only be locked out for a short period of time.
Minutes Lockout– This is the length of time for a lockout if the allow retries are exceed for the first time. The default here is great enough to frustrate crackers but not great enough to frustrate a user in the rare cases where a they did not type in there password correctly.
___ lockouts increase lockout time to ____ hours– This is the teeth of the plugin. This is what will stop hackers/crackers. When a hacker/cracker is locked out for the long period of time, They know their automated attack is a waste of time. They will be off to easier targets. The default values here are good values.
Hours until retries are reset– Again, this field as little significance. It is the count of the lockout failures. In this example it is four. The important thing is a hacker/cracker isn’t going to try three times, wait x hours and try again. They will be long gone finding easier targets. I would make this as large as the hours lockout in the previous line.
Site Connection– If you do not know what a reverse proxy is, select the Direct connection radio button. If you know what a reverse proxy is and your site is behind a reverse proxy, select the From behind a Reserve Proxy radio button. This would be a relatively geeky setting.
Handle Cookie Logins– Many times, a user, who has recently visited their site, re-enters without needing to re-enter their password. This is because there is a cookie, a small bit of text on the users machine that is put there by the website. When the user returns, the website uses this cookie as a form of validation and the user can re-enter the site without a password.
Make sure to select the Yes Radio button here. Otherwise a hacker/cracker could automate the process of trying different cookies, hoping to get lucky. They have about a one in 4 billion chance. :^)
Notify on Lockout
Log IP-This will keep a log of failed login attempts. It is informational and not to important. I’m a geek, so I would have this on.
Email to admin after ____ lockouts– The default value of 4 is fine, here. Again, being a geek, I would want to have this option checked so I could snicker at people who tried to hack/crack my site.
If you made changes to any of the settings, don’t forget to click the Change Options Button. This will save the changes.
Finally, there is the Clear Log Button. Sometimes log files can get big and unwieldy. For this plugin, this would only be the case if you had thousands and thousands of failed attempts. Still it would be worth while to clear this log as part of a quarterly cleaning
In closing, out of the box, a WordPress site is open to the potential of automated attacks to try and figure out passwords on a WordPress site. The Limit Login Attempts Plugin will close down this vulnerability. Using this plugin, is one step a WordPress site admin can take to further harden their site.