Just spent a good few hours dealing with a sustained “brute force” attack on a WordPress site… about 3,600 login attempts from 2,500 different IP addresses over 15 hours or so. I never use admin as a userid and passwords are always strong so they weren’t getting in, but the overhead was slowing the site down.
I’d previously spotted that WordPress security is not by default perhaps the strongest… always going to a fixed URL (yourwebsite.com/wp-admin) to run a fixed module (wp-login.php) is setting things up for a hacker.
A few things which helped beef WP security up and might be useful to other users-
- Whatever you do, don’t use “admin” or any part of your domain name as a userid!
- Make sure your passwords are shown as “strong” when you check them.
- Wordfence Security installed easily and looked pretty good but kept failing with “Fatal error: memory allocation” errors when activated. The suggested solution is to get more memory allocated to your website but rather than tackle my hosts tech guys over this I abandoned it for the BruteProtect plugin. The latter seemed to be running fine until when trying to login it told me:
Your IP has been flagged for potential security violations. Please try again in a little while..
Once I white listed my IP this error message seems to have stopped.
- The Rename wp-login.php plugin also looked worth while installing, it simply changes the login URL from “wp-admin” to anything else you specify.
WordPress admin lock out
I managed to lock myself out of my WordPress site by putting in the wrong password too many times. Once you’ve done this you, er, can’t login to your admin area to fix the problem.
An emergency fix which worked for me (as Americans say YMMV) was to login to the database using PHPadmin, browse data in the wp-users table and change the user_login value to something else. Userids get cached by your browser so clear the browser cookies and history before trying to login again.