In a recent article I have described the Wordfence plug-in. Today a continuation of the safety related thread. You can never have too much of that 🙂 .

For some time now, bruteforce attacks have been on the rise online, especially against scripts running under WordPress. These attacks attempt to crack passwords by sending POST requests to the wp-login.php file. With the Wordfence plugin, we can limit this type of activity by setting appropriate firewall rules and thus blocking access to our site from IP addresses from which automatons try to break into the site's management panel.

Among the firewall configuration parameters, one element is worth noting, namely the maximum number of unsuccessful login attempts in a specified time. Exceeding the limit will result in blocking the IP number from which these attempts originate. I assume that you are a fairly conscious user, i.e. you use strong passwords (consisting of upper and lower case letters, numbers and/or special characters) and you do not experience situations when you try to log in to your website panel by trial and error "what was the slogan?". If this is the case I suggest that you set your firewall as low as possible to prevent false loginsFor example, let it be a maximum of 5 unsuccessful attempts within 1 day. If anyone tries to guess the password at least five times during this period, Wordfence will block access to the login page and further attempts will fail. This protection is one of the most effective ways of preventing attacks aimed at guessing the credentials of the site administrator or any of its users.

Most often attackers try to use a standard name such as "admin". So if you are just setting up your own website on the WordPress engine consider creating a different username for the administrator. You can then instantly block the IP of anyone who tries to log in with the typical login name of "admin". Someone who tries to log in this way apart from you is unlikely to have good intentions. Of course, you can also provide other logins frequently used by password crackers, such as "root" or "test".

wf

These measures eliminate a significant proportion of threats, but of course not all, e.g. they do not protect against some of the consequences of attacks such as saturation of operational memory, processor power or number of SQL queries. I experienced this myself. One IP sent thousands of POST requests to the wp-login.php script. Wordfence blocked access to the form from the attacker's IP address after only a few attempts (as configured), but this obviously didn't stop the robot from continuing to send massive requests. Each such request, despite not being allowed by Wordfence to access the actual login form, generated consumption of computing resources and generated SQL queries. This led to my account running out of SQL queries per hour, which resulted in my access to the database being temporarily blocked. Put simply, the effect of the attack repelled by Wordfence was that my blog was temporarily unavailable.

Seeing what was happening I decided to introduce another security measure by cutting off access to the wp-login.php file. For this purpose, I used a small plugin called "Rename wp-login.php" and using it I changed the default access address to the Admin Panel. As a result, anyone who tries to call the wp-login.php file is redirected to the blog's home page, which in turn is cached by Wordfence which makes it generate minimal or no SQL queries. And in this simple way reduced the risk of robots saturating the computing resources of the hosting account attempting to log into the site's panel while hiding the panel's address from them.

I encourage you to test this configuration or a similar one. It is important that our websites are as secure as possible because nobody else will take better care of them than ourselves 🙂 Good luck!

Share

See also

Wordpress birthday

WordPress's 18th birthday

As of the end of May, WordPress is celebrating 18 years since the first public release of this popular software. The above post marked the beginning of an exciting era in the history of the blogosphere, in which

Free information on JZS news

I invite you to become a subscriber! Thousands of readers already subscribe to news from JZS.

You can unsubscribe at any time. Your address is safe here.

Featured LifeTime Offers!

Consolto

Application for online meetings and customer service. A huge range of possibilities and...

Encharge

Email Marketing Automation. Increase the effectiveness of your campaigns.

JivoChat lifetime offer
JivoChat

One of the best chat rooms for websites. Mature with lots of...

2 Comments

  1. What you proposed is good, but on blogs with users logging in it can't be applied. Some hosting companies do something in this direction, e.g. linuxpl displays popup prompt with two fields where you have to type "wpadmin". Simple and blocking access for many bots, although not very convenient. Also as you suggest, a proper plugin will be a good solution.

  2. A worthwhile article 😉

Leave a Reply

Your email address will not be published. Required fields are marked *