Guest post by Sable Cantus.
With all the press about wordpress security and botnet attacks, it can be difficult to put perspective on what that means to me as a wordpress user. I can download logs from my host. I can check the blocked IP list in my various plugins.
I recently installed WP Security Audit Log on my site. Here is a screen shot from this morning.
Take a close look at that audit trail. The log is almost completely filled with “Failed Login detected using…” Then there are a few usernames they are trying. “admin”, “administrator”, and the domain name, over and over again. From varying IP addresses.
This is not one person sitting at a computer launching some script on my site. This is a globally distributed attack looking for generic admin usernames and weak passwords. This is how many sites are “hacked” into. The tyranny of the default.
Where are these attacks coming from?
Of course, my first instinct was to use apache’s .htaccess file to block ip addresses and ranges. That didn’t work because, as you can see in the screen shot, the attacks aren’t coming from a single ip range. I thought I would look at a few of those addresses using LocateIPAddress.net.
18.104.22.168 – Germany
22.214.171.124 – Hungary
126.96.36.199 – New York
188.8.131.52 – Germany
184.108.40.206 – Thailand
220.127.116.11 – Kazakhstan
18.104.22.168 – Thailand
Just the top seven and each IP was from a different host in varying countries around the world that aren’t affiliated with this site.
What can we do about this?
The first thing to do is update. Especially the security releases. WordPress, plugins, and themes should be upgraded regularly. You should also have a reliable and automated backup system.
There are plenty of great security tips around the web that go into great detail so I’ll sum up a few of my approaches here. Assuming automated backups and regular updating: