Would You Know If Someone Tried To Crack Your WordPress Login?
Seriously, if you use WordPress for your site, would you know if someone attempted to crack your WordPress login?
Not that long ago I received an email notifying me that someone had been locked out from logging into WordPress on WBOBR.com. Considering I am the only holder of logins for WBOBR and I had not visited it during the time frame I was being notified about, I immediately went to check it out. Sure enough, I had an entire screen filled with unsuccessful login attempts from a wide range of IP addresses.
Of course, my next step, once I realized what was happening, was to check out the other blogs I manage and found a few more that had also received attempts.
By now you may be asking yourself just how I found this out. Well, it certainly wasn’t from looking at traffic statistics, these IPs were from multiple ranges. And it wasn’t from my hosting provider either. The message that clued me in to these attempts came from a plugin I had installed when I first setup WBOBR.com. The name of the plugin is “Limit Login Attempts” by Johan Eenfeldt and it is free at this point in time through the WordPress plugin repository.
So what exactly does “Limit Login Attempts” do, you might ask. Well, it allows you to specify how many times someone is allowed to try to login unsuccessfully. If they reach the number of attempts you specify, it then disallows (locks out) any further attempts from that particular IP address and it logs each and every unsuccessful attempt and lockout. The lockout settings consist of two stages and different time frames can be set for each stage.
For the first lockout, you may want to have it only lock that person out for a short period of time. This lets valid users do a bit of thinking before they try again. The second lockout can be set for the same amount of time, or for any other time frame you believe is suitable. My thought was that if someone was locked out a second time, particularly since I hold the logins, that this second lockout should be for a period of time that will ensure I have been notified before they are allowed to try again. It may be in your case that it is a valid user who has simply forgotten his/her password and as such, you would then be able to help that person out.
The plugin also gives you the option of logging unsuccessful attempts and the option of receiving an email after whatever number of lockouts you specify. This is how I was made aware of the problem. Needless to say, as soon as I did become aware of the situation, I tightened up the criteria considerably.
One thing that was immediately noticeable was that this was a brute force attack. There were a wide range of IP addresses all attempting to crack the password for the admin login and of course, for my SherryD login. They were not able to do so within the limits I had put in place and also due to another security measure I had taken.
Did you know that your login id does not have to match the name that shows on the blog? One of the first steps I take when setting up a blog is to create a new admin user login and set a strong password. I then delete the original admin login, rename the nickname for the new admin login, and set that as the name to be publicly displayed. Judging by the number of attempts to brute force the admin login, this was a good move. Anyone trying to crack the password for the login “admin” on WBOBR will fail and I will be notified.
Now being notified is a good first step, but how do you handle these attempts and further protect your sites? For that answer, I contacted my Internet service provider, who told me about a function available in my cPanel that would help me out. This function is called the IP Deny Manager and it allowed me to add those IP addresses that “Limit Login Attempts” kept track of to a deny list.
While I added these IP addresses one by one, you are also able to add entire ranges of IP addresses to this deny list. Keep in mind when thinking about doing this that you may inadvertently block valid visitors. Also keep in mind that this list denies access for those IP address to all sites you have under that particular hosting account. So if you have more than one site hosted, all of your sites will be protected.
I hope that by sharing this incident with you, you will take steps to ensure that if someone tries to crack your WordPress password, you are made aware of it.
Has someone tried to hack into your blog? Share you experience and your security recommendations in the comments below. I look forward to hearing from you.
To Your Success,
SherryD
http://www.wbobr.com
Sherry this is shocking!! This is very disturbing to see such things affecting our daily routine which is very difficult to see such things to come to some stable position!! I must say that i have started to use https which I found it very useful & same as it helps us blocking cookies for hackers!! Sherry just Google it & try it for sure!!
Is there any sort of full proof security which can help the WordPress users getting protected from such hackers?? I still have my own doubts!! I am wondering that hackers these days have reached to so much of depth whereby they just wish to grab information which is not secured!! Strange!!
oh well, hackers will never change.. even government sites can get hacked. but it’s always good to make an effort to keep that from happening. good post!
Very useful plugin. There are more and more hackers around. I also recommend to always update your wordpress as soon as they have new updates. That prevented me from being hacked.
An excellent point John. By the way, cudos on your blog. It looks delicious.
I am not yet convinced if this plugin can really help…Anyway, I am going to try this one…
By default, WordPress allows you to type in incorrect usernames and passwords infinitely. Since there is nothing to stop the attacker, they can try for minutes or hours entering a dictionary list of names and simple passwords in the hope of just stumbling upon the correct one.
I believe you have to stay calm to be able to deal with this situation. The first step before you respond to any security incident is to calm yourself down to make sure you do not commit any mistakes. We are serious about it.
That’s strange! What happened was really bad but good that you had changed the user login password and that you had also kept a strong password to protect your admin account. Good that you took this step soon as you are now able to block all the unwanted IP addresses trying to hack your password. By sharing this blog you have created a sense of awareness in the mind of all bloggers.
Very useful plugin. There are more and more hackers around. I also recommend to always update your wordpress as soon as they have new updates.
Great post on how to secure wordpress login and very useful guide for new bloggers like me! AntiVirus for WordPress is a smart and effective solution to protect your blog against exploits and spam injections. I totally agree with using Limit Login Attempts, this will restrict the hacker from getting access to your account easily.
This is a very useful plugin. I will give you a tip. One Time Password plugin enables you to login to your WordPress weblog using passwords which are valid for one session only. One-time passwords prevent stealing of your main WordPress password in less trustworthy environments, like internet cafés, for example by keyloggers.
That’s seriously strange to hear that someone would have hacked your word press login. I wonder what I would have done if ever I was in your place. I would have surely started panicking. But good that now all of us are aware of it that we need to be aware of our word press logins being attacked now. I think now everybody would have some precautionary steps taken to safe guard their word press login.
Well Oliver, after working in the IT field for many years and seeing the amazing amount of time and effort many people are willing to spend to do something nasty to someone else, it really does not surprise me at all. Just imagine what could be accomplished if they put those efforts to good use.
Thanks for the information. You bet I’m gonna make sure that my website will be well secured in order to avoid the hackers.
In recent days, no website is safe from such attacks. Looks like that plugin is a great one to install in wordpress blogs. I hope web giants should take some strong steps to stop these kind of attacks.
I think attackers are much more than “spending hours” just trying to get and fish out your passwords. I think there’s more than that–they might actually use some programs and malware to be able to fetch some info from your website. or it could be some factors your website has that makes your blog vulnerable to attacks. For one, I think you should buy a stable hosting and as well as create a database copy or backup whenever you make some changes for your site. It’s quite tedious but it’s only one of the best ways to keep away from the annoying hackers.
Firstly, I am shocked to read that someone actually tried to crack your WordPress login. And secondly, a big thank you for sharing this. I will most definately secure my login id on WordPress, definately don’t want my login getting cracked and then hacked. “Limit Login Attempt” seems like a great application, thanks for explaining its pros and cons. I will be sharing this with my friends as well on Facebook so that they can also be safe from these hacker attempts.
I doubt I would have any idea about my log in being cracked. Thanks to you I am aware that this happens. I thought having an alphanumerical password was safe and there was no way to crack it. But it seems like the hackers have gone many steps ahead and are smarter than we thought they were. Thank you for sharing.
This is a shocking prospect that you have suggested. I am not sure what my reaction would be if my password was cracked. All my accounts are connected by the same password as I have a habit of forgetting very easily. But it is great that you have posted here and made everyone aware of this incident that occured with you.
Well talking about the number of internet attacks taking place these days, its not only difficult but impossible to prevent potential threats to your site. The best thing that can be done is to know who has been hacking your account and then take steps to secure it. There is no full proof security available but surely you can avoid these attacks by changing your password on a regular basis.