Sometime last year several of my blogs were hacked and defaced. What basically happened is that someone was able to get admin access to the (hosted) WordPress installations and changed the homepage to one containing a lot of nonsense. These generally contain a lot of words ending on the letter “Z” as well as the words “owned” and “hackorz”. I suspect that access was gained using a “Brute Force Attack” which means that a piece of software tries every password combination under the sun to gain access. It’s automated and dumb requiring very little intelligence, skill or finesse. The fact that I had my user name still set as “admin” didn’t help but the less said about that the better. The next step was that the “hacker” changed the admin username & password effectively locking me out of my account.
So how did I regain access to my blogs and how have a secured my WordPress installs since? Well seeing that my security has withstood numerous attacks daily since then I thought it might be helpful to share this.
Regaining access: I host all my sites & blogs on a server using CPanel. This has a very easy to use visual interface which include good & easy database management. Part if this interface is the PHPMyadmin tool. This is a visual tool for managing the nuts & bolts of your database. It lets you view & edit every cell in a database. Seeing that WordPress stores all it’s information in a database you can look up the cells containing the admin username, password and email. Once you select the correct database you’re presented with a list of tables. Find the right one (it will have “user” in the name) and select the right cell. Then change the username, password and if needed the email and save. Open a tab in your browser and try to login to your blog. Sometimes the change doesn’t “take” the first time and you might have to do it again. Another trick is to only change the email address, then go to the blog login screen and use the password reminder option to have a password modification link email sent to you.
Once you have regained access to your blog and have undone all the changes it’s time to secure your blog. The first step is to choose a better username & password combination. However if you’re like me and don’t want to have to memorize a whole new bunch of logins you can secure it using the following methods also.
- Firewall: Matthew Pavkov has built an excellent & free WordPress firewall plugin (see above image). You can find it here. The firewall will stop all sorts of malicious attempts to gain access to your blogs admin interface be it through URL-modification of injecting script etc. Install it and play around with the settings. Don’t just switch everything on as it might block some of your other plugins. One of the excellent features is also that you can set it to email you an alert every time it blocks an attack. You will be surprised at the number of times this happens.
- Limit Login Attempts: The above doesn’t protect you against brute force attacks. However “jonahee” has produced a WordPress plugin which allows you to limit the number of concurrent login attempts per IP address. This extremely handy plugin lets you set the maximum number of consecutive login attempts allowed from a single IP address before this IP address is blocked (locked out) from trying to login to your WordPress admin account. It also allows you to set how long they will be locked out. Additionally it keeps a log-file of all lockouts. Mine is at 2244 lock-outs since I installed it with multiple lock-outs per IP address. Lastly it will email you a notification every time it locks-out an IP address.
In my experience these two plugins alone will protect your WordPress install from the most (but not all) hacking attempts. There is no such thing as 100% “hack-proofing” something but I host 14 blogs protected by the above mentioned plugins and there have been no more successful hacking attempts since i installed them. Considering the number of attacks I think that says a lot.