Wordpress access attempts

Admin · Feb 10, 2014

My Wordpress sites are constantly under attack from people trying to log in as admin.

DO NOT use any of these usernames for your admin account;
aaa
adm
admin
admin1
administrator
manager
qwerty
root
support
sysadmin
test
user

I am seeing attempts with these from all over the world so there must be some WP hacker tool that cycles through these by default.

I install WordFence and set it to block invalid usernames so when they try any of these they get blocked at the same time and I get an email alert. I had 500 alerts from one site alone yesterday.

Admin

pinman · Feb 10, 2014

Yep - same story here.

But as you rightly say Wordfence is a handy plugin for dealing with these attempted logins... the number of email alerts due to those logins can be a pain though

Admin · Feb 10, 2014

Agreed, I auto-filter them into a sub-folder to save clogging up my inbox

DaveP · Feb 10, 2014

Haven't used Wordpress myself for a few years but security through obscurity, aka renaming the path to your admin login should also work, right?

Admin · Feb 10, 2014

DaveP said:
Haven't used Wordpress myself for a few years but security through obscurity, aka renaming the path to your admin login should also work, right?

Yes unless you want valid users to be able to log into the site, I think it uses the same login page?

Skinner · Feb 10, 2014

I have just limited my admin page to my ISPs IP range, as one of my major security fixes. This cut the number of invalid login attempts down to 1-2 a week from 20+ of them.

Login Attempt Limits work well too, lock out account for 90 minutes after 2 wrong attempts, then lockout for 5 days after 2 short lockouts so 4 attempts over 2 hours and its 5 day kill.

ukdomains · Feb 10, 2014

use word fence plugin you can even setup 2 factor login

http://www.wordfence.com/

stellar73 · Feb 11, 2014

Login Lockdown is also an effective straightforward plugin to prevent these kind of attacks. It records the IP address of all failed login attempts and you can set a limit of how many attempts are possible from a specific IP before it blocks that address for a set period of time (I believe the default is 3 attempts and a block of one hour)

http://wordpress.org/plugins/login-lockdown/

NB: Ignore the fact that in the plugin directory it says it hasn't been updated for 2 years - it works perfectly with current version of Wordpress. (Was recommended it by someone from Ithemes who stressed the lack of an updated version is simply because the code is rock solid and doesn't actually require updating)

One slightly annoying thing is that it puts a "protected with Login Lockdown" style ad on your login page however you can remove this by adding the following code to functions.php once you've installed it

remove_action('login_form', 'll_credit_link');

stellar73 · Feb 11, 2014

Also....As Admin said using an obvious user account name is a definite no-no but whichever name you choose it's probably also a good idea to create at least two separate accounts - one which you solely use for administrative backend purposes (and never post with) and another one for posting.

If you also use your main admin account name (Joe Bloggs or whatever) for posting then the hackers are going to have access to your login name anyway on the links in your posts. (Even if you specify a "nickname" in Settings>General to display on your posts I believe I'm right in saying the actual account name still displays in certain circumstances, ie when links for the author page are hovered over)

I generally tend to have a separate account for all posting activity. With this posting account I limit the access rights to contributor or editor which would limit the damage possible if anyone guessed the login.

ian · Feb 11, 2014

My wordpress administrator account seems to prevent the name being changed, it is greyed out, but surely even if they access the wp-admin screen, they would still need the password???

retired_member36 · Feb 11, 2014

My wordpress administrator account seems to prevent the name being changed, it is greyed out, but surely even if they access the wp-admin screen, they would still need the password???

Download better wp security

There are some quality functions in this plugin, and allows you to change the admin username, change the admin id from the default, Change table prefixes as well as loads of other things.

stellar73 · Feb 11, 2014

ian-d said:
My wordpress administrator account seems to prevent the name being changed, it is greyed out, but surely even if they access the wp-admin screen, they would still need the password???

They would yes but in theory you're making hacking easier for them if they already have one known variable.

As Suggys suggests you could use Better WP Security. You could also simply create a new (secret) user account with full admin privileges and start using that for all backend purposes, keep posting with the account you already use but restrict the privileges on it (ie downgrade it to author/ contributor etc)

Admin · Feb 11, 2014

stellar73 said:
Login Lockdown is also an effective straightforward plugin to prevent these kind of attacks. It records the IP address of all failed login attempts and you can set a limit of how many attempts are possible from a specific IP before it blocks that address for a set period of time (I believe the default is 3 attempts and a block of one hour)

http://wordpress.org/plugins/login-lockdown/

NB: Ignore the fact that in the plugin directory it says it hasn't been updated for 2 years - it works perfectly with current version of Wordpress. (Was recommended it by someone from Ithemes who stressed the lack of an updated version is simply because the code is rock solid and doesn't actually require updating)

One slightly annoying thing is that it puts a "protected with Login Lockdown" style ad on your login page however you can remove this by adding the following code to functions.php once you've installed it

remove_action('login_form', 'll_credit_link');

WordFence has this plus allows you to decide how many login attempts, block for how long and the main one I use, immediately block unknown usernames.

PanzerWagon · Feb 11, 2014

Limit login attempts is also a decent plugin. Some of the 1click installs deploy it as standard in an install so a trusted one.

retired_member36 · Feb 11, 2014

Just an idea, but if no one else needs to log into your wordpress site (ie, its not one with subscribed users). For a bit more added security could the admin folder not be password protected. hackers would then need to crack that password before they can even think about the actual wordpress login.

ian · Feb 11, 2014

ian · Feb 12, 2014

I'm in the process of moving one of my large wordpress sites to a new server, more as a learning process but also to split it from other critical sites. All seems fine but wondering, from purely a security aspect, would you install the files in the root folder, or a separate subfolder and then simply change the url location in the control panel? Will this help reduce attacked because the wp-login won't in the root?