WordPress Brute Force Protection
Recently my WordPress website was targeted by a massive brute force attack, trying to break into my admin account. In this post I will go into further detail how I got rid of the attacker and what plugins I used to alert and protect my WebSite from those kind attacks.
Plugins
I use
1. Limit Login Attempts Reloaded
This plugin will block an Internet address (IP) and/or username from making further attempts after a specified limit on retries has been reached, making a brute force attack difficult or impossible.
For me this plugin works like a charm. I usually get notified as soon as someone gets blocked by the plugin which was a good indicator if someone is starting an attack or if it was just some bot/sniffer/script-kiddy trying the sites boundaries.
Limitations: Please keep in mind, that if an attacker has the power of multiple VPN connections, he can switch his IP in no time. (that's what happend to me)
Anyway, because this plugin is logging the blocked IPs and gateway used, I was able locate the "vulnerability" the attacker used to...
2. Disable XML-RPC
XML-RPC is a feature of WordPress that enables data to be transmitted, with HTTP acting as the transport mechanism and XML as the encoding mechanism. Since WordPress isn’t a self-enclosed system and occasionally needs to communicate with other systems, this was sought to handle that job.
Because of xmlrpc.php the attacker is able to abuse this interface to brute force authentication credentials using API calls and bypass my Simple Login Captcha plugin, which I will still use for those who just scan the default login page for his attacks.
Disabling XML-RPC was the solution in my case so the attacks instantly stopped.
Limitations: You need to check if you are using this interface by any remote App connecting to it, because by disabling XML-RPC some connections won't work anymore.
3. Change wp-admin login
Security by obscurity is controversial. In this case this plugin is hiding the /login or /admin pages if someone just uses a bot/hydra/dirbuster to find the default login-pages of any site. In this case, the defaults of WordPress are well-known by anyone who once logged in into a WordPress page. This is where the obscurity comes in place by just changing the login-page to any other page you want, while not rename or change any core files of WordPress itself.
Limitiations: This won't have any affect if you still have XML-RPC activated and the attacker is using this interface to brute force his way into your Website.
4. Redirection (Optional)
As i am annoyed by random people sniffing around my page (which was just a fun project for me to get in touch with WordPress) I included the Redirection plugin which, who would have thought, redirects certain pages instantly to any other URL you want. If /admin or /login is accessed by any bot or human, it will result in downloading a small 10GB file. Security by trolling...