Limiting Logins on a WordPress Site

This post explores one easy way to hardened a WordPress site from possible exploitation.

In order to make changes to a WordPress site, a user must first be able to log into the site. Without the ability to login, no changes can be made to the site.

Why there is a vulnerability

Currently, out of the box, WordPress has no limitations on the number of password attempts allowed to login to a site. You may think, “big whoopee, who is going to take the time to type in all those different password attempts?”

Well, the answer is no one in their right mind would do that. Hackers/crackers are, fortunately, in the right mind. Unfortunately, not to be political or anything, they are in their far right mind.

If they are trying to get into your site, they are not going to type in a bunch of passwords and hope one matches, they are going to automate the process. They are going to run a program that will likely be able to try 10’s to 100’s of attempts a second. If they find a password that works, Bingo! they’re in. They can now make changes to your site.

Theory to beat this vulnerability

What if there would be a way to limit the number of attempts? After so many attempts from a certain computer, that computer would be locked out from making more attempts. This would foil automated attacks on your site.

From Theory to Practice-Limit Login Attempts Plugin

The WordPress Plugin, Limit Login Attempts, http://wordpress.org/extend/plugins/limit-login-attempts/, will carry out such limitations. Limit Login Attempts does among the following:

  • Locks out an IP address after a set number of failures.
  • Keeps them locked out for a set period of time.
  • After 4 login failure cycles, that IP address is locked out for a longer set period of time.
  • Tracks the total number of login failures.
  • Make allowances for direct connections or from behind a reserve proxy. I discuss this further in the Settings section.
  • Will also block login attempts using cookies. I discuss this further in the Settings section.
  • In the login window, will notify the user the number of login attempts left.
  • Notify user if they have been locked out.
  • The option to log failed IP addresses and email for locked out Ip addresses.

A Look at Settings for Limit Login Attempts Plugin

This is setting screen for the Limit Login Attempts Plugin. Its can be found in Settings Tool in the Dashboard when logged in as an administrator. Here is what it looks like.

limit-logins-2012-05-9-10-02.png

I am going to run down the different options and offer my suggestions.

Total Lockouts– This keeps a watch on the total number of lockout since the last refresh. Clear this at any time.

Lockout

Allowed retries– This is the most important and least important field at the same time. As long as there is a value here, this site will no longer be easy to hack/crack. For that reason, automated attacks will stop. They will move onto easier targets. I would suggest a value less than five. I am a horrible keyboarder and still I can make my fingers crawl on the keyboard well enough to get my password by the third time. Additionally, on the first lock, the user will only be locked out for a short period of time.

Minutes Lockout– This is the length of time for a lockout if the allow retries are exceed for the first time. The default here is great enough to frustrate crackers but not great enough to frustrate a user in the rare cases where a they did not type in there password correctly.

___ lockouts increase lockout time to ____ hours– This is the teeth of the plugin. This is what will stop hackers/crackers. When a hacker/cracker is locked out for the long period of time, They know their automated attack is a waste of time. They will be off to easier targets. The default values here are good values.

Hours until retries are reset– Again, this field as little significance. It is the count of the lockout failures. In this example it is four. The important thing is a hacker/cracker isn’t going to try three times, wait x hours and try again. They will be long gone finding easier targets. I would make this as large as the hours lockout in the previous line.

Site Connection– If you do not know what a reverse proxy is, select the Direct connection radio button. If you know what a reverse proxy is and your site is behind a reverse proxy, select the From behind a Reserve Proxy radio button. This would be a relatively geeky setting.

Handle Cookie Logins– Many times, a user, who has recently visited their site, re-enters without needing to re-enter their password. This is because there is a cookie, a small bit of text on the users machine that is put there by the website. When the user returns, the website uses this cookie as a form of validation and the user can re-enter the site without a password.

Make sure to select the Yes Radio button here. Otherwise a hacker/cracker could automate the process of trying different cookies, hoping to get lucky. They have about a one in 4 billion chance. :^)

Notify on Lockout

Log IP-This will keep a log of failed login attempts. It is informational and not to important. I’m a geek, so I would have this on.

Email to admin after ____ lockouts– The default value of 4 is fine, here. Again, being a geek, I would want to have this option checked so I could snicker at people who tried to hack/crack my site.

If you made changes to any of the settings, don’t forget to click the Change Options Button. This will save the changes.

Finally, there is the Clear Log Button. Sometimes log files can get big and unwieldy. For this plugin, this would only be the case if you had thousands and thousands of failed attempts. Still it would be worth while to clear this log as part of a quarterly cleaning

In closing, out of the box, a WordPress site is open to the potential of automated attacks to try and figure out passwords on a WordPress site. The Limit Login Attempts Plugin will close down this vulnerability. Using this plugin, is one step a WordPress site admin can take to further harden their site.

Baseline Checkup for Integrity of your WordPress Site

It’s 11:45 AM. Do you know how many administrators are on your WordPress site?

Unfortunately, WordPress, at its base is a piece of software. Any piece of software has the potential for exploits. With WordPress exploits, nefarious people could be using your site to inflict evil on other people. A major case and point happened recently. The largest piece of malware to ever effect the Mac has happened in the last few months. This piece of malware got spread through WordPress sites that had been exploited.

If you ask me, exploits and keeping your site minimally exposed to hackers are the number one reasons to keep WordPress, Plugins, and Themes updated. Often these updated fix exploits. With these fixed exploits, this lowers the potential of a WordPress site getting hacked.

WordPress exploits are well known. Have any doubts? Check out this list. By not having the most up to date version of WordPress, a WordPress site is open to any exploit on this list targeted at that version of WordPress.

One of the most valuable hacks, at least as far as the bad guys are concerned, are exploits that allow them to add an administrative user. This exploit allows for a hackers to do just that thing. Notice, the version of WordPress effected by this exploit is 3.3.1, the second most recent version. Anyone not updated to the most recent version, 3.3.2 is potentially vulnerable to this exploit.

Step back and think about it a second. What would be the problem if someone unknown suddenly could administer another WordPress site, potentially yours? As an administrator, they could make what ever changes they wanted to the exploited site. They could add code, users, posts, comments, all at their free will. If they so desired they could even delete the exploited site! That wouldn’t buy them much, but it is a possibility. They would much rather have a site up and infected. Then they can continue to use the exploited site for whatever purpose they wanted.

Beyond the direct affect on the exploited site, there is an even larger potential problem, the site’s SEO. One thing web search engines do while crawling sites is look out for malware. I have and maybe you have too, clicked on a link in Google only to be warned that you are going to a site that may be infected with malware. That alone, would be a scary enough for potential customers.

Google’s search engine will also keep a watch on an infected site. The longer the infection lingers, the lower the rank the infected site will receive. Any ranking the infected site had built up with Google could soon be lost without a timely fix.

So, what can be done to protect a WordPress site? One of the easiest things that can be done is to keep a watch on the number of administrators on your site. If there are more administrators on your site than you expect, you could have been hit by an exploit. Thankfully, when logged on as an administrator, The User Panel will show the number of administrators. This panel shows three administrators; the expect amount, by the way.

PastedGraphic2-2012-05-4-11-42.tiff

If the Administrator count is larger than expected, click on the administrator link to show who the administrators are for the site. If the numbers of administrators are less than the count of administrators, that is a problem. There are obscure problems that can allow the count of administrators to not be reflected in the list. More likely than not, the rogue administrator has been hidden, A very easy thing to do. If you find yourself in this predicament, you will either (1) have to get your hands dirty with SQL or (2) find someone who will.

Unfortunately, WordPress sites are vulnerable to exploits. These exploits can be used to cause harm to people who unknowingly visit they exploited site and also damage the sites reputation. One basic way WordPress site owners can keep an eye on the integrity of their site, is to make sure there is not a sudden increase in the number of administrators. This is an obvious sign that a site has been hacked.

In closing,

It’s 1:45 PM. Do you know how many administrators are on your WordPress site?

Step 3, Stephen

Last week I attended a conference. Like many day long conferences, it began with a keynote speaker, was filled with small hour long workshops on various topics, and concluded with a celebration.  This conference was put on by the Northwest Development Officers Association, a Greater Seattle area organization that does an outstanding job of providing continuing education for those of us in the fundraising profession.

I sat in on a discussion about social media by Dave Sharp, of the College Success Foundation,  who said that he was not a social media expert but rather a social media learner, just like all the rest of us.  It was refreshing to find someone who acknowledges that we are all learners, especially in a medium that is so new and so fast moving. Nobody is an expert. Non the less, there are a host of confusing aspects of this new way of marketing your business, for profit or nonprofit, that I find myself scrambling to keep up and to understand.

Five days later, on Tuesday of this week, I attended the weekly blogger support group founded and moderated by Deborah Drake. Sometimes our conversations are very philosophical, sometimes they are interventions for reticent bloggers, and sometimes they are very practical. This past Tuesday was one of those practical conversations. I have notes about lots of websites, terms and applications to explore. It will take a long time to digest and apply all that I learned. Today I took the first step.

One note I wrote was, “Step 3, Stephen.” Exploring the posts on Tuesdays WIth Deborah, I finally found the post called “Getting Started With Tuesdays With Deborah” that Stephen Magladry posted. I guess I’d missed it earlier or wasn’t at a point where I could use it. All these terms that had been so mysterious to me now started to come into focus: SEO, tags, meta description, meta robot tags, incoming autolink anchors, autolink exclusion, more link text, etc. So I’ve now taken the time to go back and update all my earlier posts, adding a meta description, incoming autolink WordPress, and appropriate tags.

Of course I want to be found on the web. Of course I hope all this work will bring in more business. But mostly I want people to read what I write. I think I have something worth saying. How many times have we heard, “If I put it out there who will read it”? Hopefully following Stephen’s Step 3 will help people find what I write and engage in conversation about what I have to say.