Several days ago I found, that my WordPress site was under attack. From two previous days, the whole site was very slow when loading but still reachable. I thought that optimizing it by disabling unnecessary plugins, minifying CSS and JS files, creating sprites instead of multiple images will solve the problem but I was wrong.
In one moment I saw an Internal Error 503 and the whole site gone down. I checked error logs and then I saw thousands of requests into wp-login.php file, that is responsible for login into backend.
220.127.116.11 - - [14/Sep/2013:15:30:35 +0200] "POST /wp-login.php HTTP/1.0" 503 470 "slick.pl/wp-login.php" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_2_7; en-US) AppleWebKit/595.16 (KHTML, like Gecko) Chrome/10.0.567.290 Safari/567.16" 332 745 11122 D; 16 - 18.104.22.168 - - [14/Sep/2013:15:30:35 +0200] "POST /wp-login.php HTTP/1.0" 503 470 "slick.pl/wp-login.php" "Opera/9.80 (Windows NT 6.1; U; ru) Presto/2.9.155 Version/10.10" 266 745 11120 D; 16 - (cut here) 22.214.171.124 - - [14/Sep/2013:15:30:29 +0200] "POST /wp-login.php HTTP/1.0" 200 4563 "slick.pl/wp-login.php" "Mozilla/5.0 (Windows NT 6.1; rv:19.0) Gecko/20100101 Firefox/19.0" 339 5068 11072 - 15 - 126.96.36.199 - - [14/Sep/2013:15:30:45 +0200] "POST /wp-login.php HTTP/1.0" 200 4563 "slick.pl/wp-login.php" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_1_9; en-US) AppleWebKit/563.16 (KHTML, like Gecko) Chrome/10.0.513.244 Safari/503.16" 398 5068 11214 - 14 -
I knew that it was a brute force attack. Thanks to password strength it was unsuccessful but I decided to increase the security level by doing several steps that are presented below.
Brute force was in progress. Due to the ammount of requests, I was unable to reach backend. I logged into my hosting panel and quickly locked the whole domain by using .htpasswd file. In that moment, number of attacking requests dropped to 0. This step is temporary. As a final result I won’t use .htpasswd solution. It just helped me to log into Dashboard and do next steps.
If attacking script knows, that by default every WordPress page has got wp-login.php file placed in the same relative location, it knows where to attack. I’ve changed /wp-login.php and /wp-admin URL into some random strings. This can be done by installing Better WP Security and going into “Hide Backend” section. Check “Enable Hide Backend” checkbox and change names of login, register and admin slug for somethings that will be easy for You to remember but impossible to strangers.
It’s one of the irresponsible things to let Yourself having “admin” or “administrator” or “adm” as an username. With these most popular names, intruder can focus just on the password value. Don’t let him do that. Can be done with Better WP Security.
Can be solved (and automated) with awesome BackWPup plugin.
Or just set it only for Your backend slug that You have defined in Step 2.
It is opptional but with cache plugin You serve to Your clients static HTML files. It can help when Your site won’t be able to handle PHP requests.
Who edits PHP files directly in WordPress? For sure no one. Turn this off and don’t let intruder to modify Your source code so easily. Open wp-config.php and after line: