Wordpress Security: Stopping Basic Attacks

WordPress Security: Stopping Basic Attacks

This guy / gal wants to steal from you.

This joker wants to steal from you and your users, are you going to make it easy?

One thing I soon discovered after diving into the wordpress world was the prevalence of malicious attacks on even the most innocuous and smallest of sites (for example, the blog of your’s truly).

WordPress is a popular platform, and this has not gone unnoticed by malicious hackers worldwide (henceforth referred to as “crackers” to differentiate them from the benevolent kind, you know the ones who build your software and help the internet run smoothly).

These crackers run massive bot-nets, which do little but ping other servers, looking for common vulnerabilities that will allow them to hijack a machine to be used in further attacks, and / or harvested for valuable data that they can monetize directly.

I actually did not become aware of the prevalence of such attacks until I noticed that my site was crashing frequently (which I was quickly made aware of via my Nagios + WebInject setup, yay!), and discovered that the cause was that the site and database were being over-whelmed by overly frequent requests targeting the relative url called “/xmlrpc.php.” This is apparently how a fairly common attack by the name of, you guessed it, “the XMLRPC attack” works.

Fortunately, my server was not compromised, however I needed to take action to prevent future attacks from bringing the site down. Googling around I found a plethora of plugins which address wordpress security and the XMLRPC exploit in particular. I looked at a few and eventually settled for Wordfence.

The free version of Wordfence has a few useful features you would want in a security plugin such as:

  1. firewall which blocks the most common attack vectors
  2. advanced IP blocking (IP ranges and hostname regexes)
  3. request throttling (useful for preventing your site from being overwhelmed by too many requests)
  4. regular scans of your site’s code base looking for malicious code injections
  5. live traffic monitoring

It also has a useful ( but not security related) caching engine (competitive with some of the more popular ones) which has helped with my site’s performance. Anyways, my purpose isn’t to sell you on one particular plugin or another, just to list a few of the features you might want to look for.

In addition to the plugin I also do regular reviews of my nginx access logs now, and just block IPs directly server-side when I spot malicious activity. This is superior to blocking IPs from wordpress contained logic, as the request is blocked even before reaching the wordpress worker processes – meaning it makes less hops on the machine, and thus causes less server load (alas even blocking takes up some resources, though far less than a request which probes the full nginx + wordpress + db stack). Currently I’m looking into ways to automate blocking from the server side (fail2ban looks promising).

What continues to surprise me however, is how little attention security is given in wordpress installation guides especially given the rather high prevalence of attacks on sites even as innocuous and as small as mine. Given how easy it would be to mention at the end that one should take steps XYZ, install a security plugin and throw out a few recommendations for said plugin, you would think this would be done much more often.

So, if you are running a wordpress site and haven’t done anything yet about security (beyond setting a password :P), take a few minutes and install a well-rated security plugin which guards against the most common attack vectors. Also take a few extra steps such as making sure you have an ultra strong password, preferably auto-generated and absolutely impossible to remember (it’s fine to forget it! Just keep using the email password reset feature.).

This should neutralize the vast majority of cracks you are likely to encounter, which are mostly of the brain-dead / generic type that rarely succeed in hijacking a server, but sometimes do succeed in crashing it.

And well, if the attacks are *not* generic, but are personal, because say, you spilled your latte on some temperamental mastermind in the local cafe and didn’t apologize with sufficient sincerity, then hire a professional security firm or become an expert yourself if you can afford it / have the time :P.

No fancy tricks or popups, simply an article like the above, which I write a few times a month - just for my subscribers.