WordPress Bad Login Attempts Problem
Every WordPress site I’ve ever worked with has seen unauthorized attempts to login to the site. Generally, these attempts are not targeted at the site specifically but instead are part of a huge automated attack. People want to hack into “a WordPress site”, not necessarily “your WordPress site”. These people run programs that find WordPress sites and try to log into them with generic credentials.
(e.g. Username: admin, Password: password)
How to Protect Your Website
1. Don’t the Username “admin”
Over 95% of the malicious login attempts I’ve seen use the username “admin”. If you are already using “admin” as your username, you can change your username with the following steps:
1. Make a backup of your website (always an important step before making any serious changes)
2. Edit your “admin” account and change the email address (this will make the email address available for your new account)
2. Create a new account, which you are going to use to replace “admin”
3. Delete your “admin” account. When you do this, you’ll be given the option to re-assign any content authored by “admin” to a different account – choose the new account you just created.
2. Use a Good Password
Your password should be of sufficient complexity. There is a great XKCD comic addressing password complexity.
3. Install Limit Login Attempts
Limit Login Attempts is a terrific plugin. It keeps track of IP Addresses for failed logins. If too many failed logins occur from an IP Address, that IP Address is locked out temporarily. You can modify the settings for this plugin but I’ve been happy with the default settings.
4. Shutdown Bad Users without Database Interaction
WARNING As of 2014-09-02 This solution is still in being tested. I’ve had this running on three of my production sites for 12 hours and thus far I have not seen any attempted “admin” logins in the Limit Login Attempts log.
While Limit Login Attempts is a phenomenal plugin it has one major disadvantage; the IP Address recording and lookup occur within the WordPress application in the database. When you are getting a lot of malicious attempts this can really slow down your website. As I mentioned, over 95% of the malicious login attempts I’ve seen try the username “admin”, so if I can eliminate those attempts it would be a dramatic improvement. Adding the following code to the beginning of my
wp-config.php, will detect an attempt to login with the username “admin” and automatically shutdown WordPress before it connects to your database. This early exit behavior will reduce the resources used in rejecting these attempts. At this time, I do not have any benchmark information on how much of a reduction this provides.
|// ** Reject Bad Username ** //|
|/** As described on http://salferrarello.com/wordpress-bad-login-attempts/ **/|
|$bad_user_names = array( 'admin' );|
|isset( $_POST['log'] )|
|&& in_array( strtolower( $_POST['log'] ), $bad_user_names )|
|&& false !== stripos( $_SERVER['REQUEST_URI'], 'wp-login.php' )|
|// ** MySQL settings ** //|
|/** The name of the database for WordPress */|
I’ve explored the option of an mu-plugin, however this code does not execute as early as I would like. I’ve chosen to use the wp-config.php file because it is executed early and is meant to be modified unlike the majority of WordPress core files.