CODEWITHSUNDEEP
wordpresssecuritybrute-force
y1978
y1978

Reputation: 29

Brute force attack / user enumeration

Since last week I keep getting alerts about failed login attempts on my wordpress site.

The first couple of days the attacker used wrong username and subsequently was locked out after 3 attempts. I use the sucuri free and wp-security plugins. The later one has a login lockdown function.

My surprise came when after a couple of days the attacker found and used my username. I immediately changed it to a new username thinking that I would be safe. I also used most of the hardening options on both plugins. I specifically checked that the string ?author=n, does not provide any results on my website.

Regardless, today I got 3 more alerts that someone tried to login with this new username, which means I am locked out of my own site for 24 hours.

This leaves me wondering:

a) how is it possible for someone to find my username?

b) is there any other plugin like cerber security that prevents these exploits?

c) is there any rule I can add to htaccess? (although I believe that sucuri and wp-security have added several rules)

many thanks!

Upvotes: 2

Views: 1328

Answers (1)

Mtxz
Mtxz

Reputation: 3869

listing users

A user can list your usernames using :

yoursite.com?author=1

Where the ID is a user_id.

You can prevent it by detecting the author page, and redirect it with this for example (put in your theme function.php):

// Disable access to author page
function remove_author_pages_page() {
    global $wp_query;

    if ( is_author() ) {
        $wp_query->set_404();
        status_header(404);
        wp_redirect(get_option('home'));
    }
}
add_action( 'template_redirect', 'remove_author_pages_page' );

Find username from wp-admin

  • A attacker can find username by tring to login on wp-admin
  • If a attacker enter a good username, even with a wrong password, wordpress error message changes so attacker knows that the username exist
  • You can add this code to your function.php to prevent wp-admin wrong login error messages giving any pieces of information.

code:

function no_wordpress_errors() {
    return '<strong>Error</strong>: check your logins';
}
add_filter( 'login_errors', 'no_wordpress_errors' );

prevent wp-admin bruteforce

This is a solution I really like:

  • It use the wp-fail2ban plugin
  • Your server needs the fail2ban package installed and configured
  • This package allows you to ban (from iptables) IP that fails to many time to connect SSH, or brute-force a port
  • the wp-fail2ban plugin gives you a custom fail2ban jail to add to your fail2ban jails (wp plugin have a complete documentation about it)
  • with both installed, fail2ban will ban IP that fails too much on WP-admin (on the IPtable level, so PHP is not even reached. Attacker, in the end, won't use much server resources as the server will block his IP. He cannot even reach PHP)

Some other plugin (like Wordfence) also provides some security, but as it reaches PHP attacker use much more resources. But it needs less technical knowledge to implement.

Upvotes: 4

Related Questions