FAILED: 16,700+ malicious access attempts in 8 hoursThere are thousands of great plugins for WordPress which give you additional functionality to help make the user experience easier and more rewarding.
However, they mean nought when your site is compromised and is inaccessible or damaged in some way by a hacker.
As a result, securing your site is paramount, particularly at the login level as you MUST stop unauthorized intrusions.
As outlined below, there’s no one plugin which can give you 100% security. Nonetheless, they are a great starting point.
Here are what I regard as the three “must-have” WordPress Security Plugins.
The image at the top of the page is from this sites Wordpress Dashboard five days ago (26 August).
When I logged in to our site approximately 8 hours earlier on that day, the count was at 191 which means 16,700 attempts were halted in the next 8 hours.
Brute Protect, a plugin used by over 2.7 million websites (at time of writing) to stop brute attacks, did a grand job stopping approximately 16,700 attempts.
Fundamentally, it monitors traffic, identifies if it is coming from a “known” hacker IP, and stops them before they can go any further.
Whilst it was halting the intruder from getting in, it didn’t actually stop them from continuing their attempts. In fact, the count was at 15,900+ when I found what was going on and by the time I found the culprit in the server log and terminated access via one of our firewalls, another 800 attempts were recorded by Brute Protect.
SEE UPDATE (11 SEPTEMBER) AT THE BOTTOM OF THIS PAGE
Before checking the server log, I first checked Live Traffic on the system via Wordfence, to see what activity was being recorded.
Wordfence is a marvelous plugin, providing all sorts of security features, including a firewall. You can easily block IP’s with this plugin as well, hence why I went there in the first instance.
What I found was many attempts to access non-existent pages, particularly ones trying to access mysql and these were immediately blocked within Wordfence. Some of these attempts were made only 2-3 times and so were not temporarily blocked by Wordfence – the limit we set in the systems firewall is higher than this.
However, they weren’t the main culprit. I had to go to the server log to find them.
WP Simple Login Security
Whilst going through the server log, I found quite a few accesses during the day going to 127.0.0.0, the default IP used by WP Simple Login Security for failed access to our login page which is “hidden”.
Hiding the login page – a feature provided by several Plugins – is not enough. WP Simple Login Security goes one step further by providing this capability in conjunction with a Dual Factor Authentication facility.
Even if they find our “hidden” page, they have to contend with the Authentication and so have no way they can login it. It’s an important EXTRA SECURITY LAYER which every WordPress site should have.
Dual Factor Authentication works similar to Two Factor Authentication, the difference being that the authentication code is delivered by the email address registered in your WordPress installation rather than via your cell phone, ensuring you will receive the code even if your cell is misplaced or lost.Since we developed and started using WP Simple Login Security, we have NOT had a single visitor or Bot find / access the hidden login page (reported in the Plugins access log) … and even if they did, they would not have been able to go further due to the Dual Authentication process.
On another WordPress site we are associated with, we did not install this Plugin for the first three days of taking it live. In that small space of time, there were 32 “unauthorized” attempts to login to the site. Since installing this Plugin, there has not been a single intrusion on that site as well!
The Importance Of Server Logs
Whilst the above Plugins are all MUST-HAVES, they do NOT stop all intrusions and malicious hackers.
Some of the scripts used by these hackers are designed to place your server in a loop with a view to bringing your server down.They are NOT targeting WordPress and so Plugins such as the above cannot pick or stop them. When they hit, your server grinds to a halt and pages can take 5+ minutes to load, in some cases not load at all.
The nature of some of these scripts is not volume dependent … and they don’t always target WordPress.
Some may only send 40 or 50 requests rather than the 100,000+ which most people refer to when describing brute force attacks. The only way to find these is to go through your Server Log and track them down … then block them forever in your firewall. Finding them is not always easy if you have a high volume site.
In some cases, they may also be caused by some errant file from an old plugin previously loaded on your site which was not removed when you uninstalled the plugin. In other cases, your site may be compromised by somebody using it as a phishing relay vehicle, hence utilizing a big chunk of your server resources.
cPanel provides a Brute Protect facility so make sure you switch that on as well. This facility blocks those intruders trying to access your sites FTP, Server, and Email logins.
In summary, there is NO one size fits all cure when it comes to security. WordPress however is the main attraction for many and so, by using the Plugins listed above, you will hold back at least 95% of the issues likely to confront you in this area. That’s a great starting point!
UPDATE: 11 September 2015
When I logged into WordPress today, I noticed that Brute Protect had jumped from just on 17,000 blocks to just below 42,000. It was something I would not have noticed unless I had logged in as it did not slow down the site.
Within 15 minutes, I had identified the culprit and blocked them in the firewall. In that 15 minutes period, Brute Protect statistics moved to the following:
The culprit was identified in the log as the following:
22.214.171.124 – – [11/Sep/2015:00:21:18 -0700] “POST /wp-login.php HTTP/1.0” 403 3027 “-” “-“
Note that their target was wp-login.php which, through WP Simple Login Security, is hidden on our installation. As a result, they could not go any further. Nonetheless, this bot kept trying – more than 26,000 attempts.
None of this activity was reported within Wordfence. Nonetheless, it serves other purposes and so is an important part of our three security plugin strategy.
Once again, the above reinforces the importance of using multiple Plugins to stop malicious access to your WordPress installation … and the very important role that your Server Log and Firewall play in identifying and blocking unwanted intruders dead in their tracks.