Beware New WordPress Security Theat: The WordPress Misinformation Virus

WordPress Misinformation VirusThe more I worked on the WordPress Simple Firewall plugin, the better I’ve come to understand the problem that is WordPress Security.

This takes time. WordPress security has many facets, that are constantly changing as the technology behind it developments.

One of the greatest challenges to WordPress security is education, and it’s a complex topic and implementation isn’t easy. This is a problem we’ve addressed with the WordPress Simple Firewall plugin.

In this article I’ll discuss one of the greatest threats to WordPress security – the Misinformation Virus – and debunk an example myth that’s still being perpetuated by WordPress administrators and security plugins.

The responsibility of a WordPress Administrator is not to know everything but to verify everything

Yes, it’s true, you don’t have to know everything. And this certainly includes all the intricacies of WordPress security.

Securing a WordPress site is not trivial. I know this, not because I’m told it’s not trivial, but because I built the WordPress Simple Firewall plugin from scratch, learning first-hand what’s involved in securing a WordPress site.

Do I profess to know everything? No.

Is there still a lot to learn? Absolutely yes!

What I understand about WordPress security comes from my research into the topic, while creating our own WordPress security plugin.  It didn’t come from drinking the WordPress security cool-aid piped to us from every WordPress security “expert” with an opinion.

This lets me see through the B.S. that’s put out there. And unfortunately there’s a lot of it.

So, what you need to realise from this article, if nothing else, is that you can’t know everything. And that’s okay – it’s okay to rely on information you receive and read on the Internet. BUT…

But, you should always question what you’re told, and ask whether the source of this advice is qualified to be giving it.

Start with me… you should already be questioning whether I’m qualified to talk on this topic.  Well am I?

Who am I exactly?

What do I know about WordPress security?

If you have your doubts, shoot me an email and see what I’m about.  Look around the site and the blog for our articles on security and discover whether we know much about WordPress or not.

What’s my point? Do your research.

So what is the Misinformation Virus and how does it spread?

An example of the misinformation virus works like this:

  1. WordPress Security Plugin offers FeatureX.
  2. Some WordPress administrators love the sound of FeatureX and implement it on their sites.
  3. These administrators believe FeatureX is important and useful to their site security.
  4. FeatureX may have either been recommended to them by someone on a forum, or the vendor of the actual plugin.
  5. These administrators probably haven’t taken time to consider what this feature means fully in the context of WordPress security.  But the fact they believe it to be important is all that matters.
  6. They love FeatureX. They love it so much that they now also offer help in forums, to their friends, or to any one that will listen to them, suggesting they use this FeatureX and the plugin that carries it.
  7. Whether the FeatureX is actually important or not doesn’t matter, but it makes everyone feel warm and fuzzy inside. They’ve “secured” their site from a particular threat, and they’re helping others do the same.
  8. And so the misinformation virus spreads.

This Misinformation Virus arises from two core characteristics of this behaviour:

  • Firstly, FeatureX was assumed to be amazing and useful, and effective for the job it was purported to do.
  • Second, after the initial assumptions were made, it was spread to other people in the community as “fact”, and so was rarely, if ever, questioned let alone verified.

Example of the Misinformation Virus pertaining to WordPress Security

Buckle in! Hold on to your hats!

What I’m about to tell you flies in the face of conventional “wisdom” and practice within the WordPress security community. Why? Because this idea has been perpetrated endlessly, by some who think they’re in the know.

But the fact of the matter is, when we take a step back and question certain assumptions we hold to be true, we may find that they’re actually completely baseless.

So let’s take an example of misinformation that I saw (again) today, that prompted me finally write this article you’re reading:

IP Addresses can be used reliably as a basis of identifying undesirable traffic to a site.

By “undesirable”, I mean for example comment spammers, brute force attackers, DOS attacks, or any such traffic that we wouldn’t normally call legitimate.

What does this mean, exactly?  Consider the following features you find in most WordPress security plugins:

  • IP Address Ban-/Black-lists
  • Geo-location blocking, such as country-based visitor blocking
  • Limit login attempts based on IP addresses that fail to login
  • Basically anything that “punishes” an IP address by restricting it from either logging-in, posting a comment, or even loading a page

So why do I call this misinformation?  Because it’s wrong – IP addresses cannot, and really should not, be used as such.

To understand this we must first understand a bit more about IP addresses. Below are some important facts relevant to this topic:

  • An IP address identifies a unique location or node on the Internet network.
  • Most nodes on the network are transient… that is, they are allocated an IP address dynamically which will change within a certain period of time.
  • IP address can be faked.
  • Geo-location (i.e. the mapping of an IP address to geographical location) is not entirely accurate.
  • A bot-net is made up of hundreds of thousands of machines/nodes – i.e. 100,000s of IP addresses.
  • There are around 4.3 billion addresses available on the standard IPv4 system.
  • When we finally fully move to IPv6, there will be: 3.4×1038 addresses (that’s a LOT by the way!)

There are no awards given for having the largest IP address ban list, and there’s nothing to feel good about completely blocking access to your site by a single node. What matters most is whether a visitor was prevented from causing any disruption.

Ask yourself, do you feel you make your website more secure by blocking a single node at a time on your own little WordPress site?

Do you think that protects you? Does that make your WordPress sites more secure?

Why blocking IP addresses doesn’t make your site more secure

Throughout, when I refer to “node”, I’m referring to a unique IP address on the internet. This could be a computer, a server, a bot, a phone… anything connected to the internet.

Given all those characteristics of IP addresses given earlier, here are some reasons that blocking activity on your site based on IP addresses makes absolutely no sense:

An IP blocked today may not block the same node tomorrow

IP addresses are transient, remember? Most machines connect to the internet with a dynamic IP address as assigned by their internet service provider. So if you block a particular node today, that node may change it’s IP address in an hour from now, and your website will be none-the-wiser.

IP Blocking doesn’t scale

Remember how many actual IP addresses are available on the net?

Imagine there’s a global, distributed attack against WordPress sites in progress. “Distributed” in this case means that the attacks are coming form hundreds/thousands/hundreds of thousands/millions of nodes spread across the globe.

Each node has a particular IP address. Let’s say you get hit by this attack and most nodes try 3 times per attack.  And, your WordPress security plugin blocks an IP address after 3 attempts.

Can you just imagine the size of your lookup table for blocked IP addresses?  It’s going to HUGE!

Not only do you force legitimate users to be checked against this ballooning database, which takes time, you are slowing down your server with each database query…

  1. One query where you add the IP address to the lookup database (making sure to only add it one – i.e. check all the others)
  2. Then the query to lookup the database for every page visit.

These attacks may not overwhelm your server, but the extra strain you place on your MySQL database server might just push it over the edge.

Blocking visitors based on country is a sledge-hammer to a nut approach to problem solving

Not only is Geo-location an in-exact science, you potentially block all legitimate visitors to a site that may be in a country that you’ve blocked. Why should I, as a visitor, be locked out of visiting a site because I’m travelling through India or China, for example?

Is the risk of blocking legitimate foreign traffic worth it because your WordPress security plugin is too lazy to intelligently block bad visitors?

You can never be sure nodes are who they say they are

IP addresses can be faked. I can send information to a server on the internet and tell them my IP is in the US even if it isn’t. Is your WordPress plugin smart enough to detect that?

If someone really wanted to overwhelm your server using fake originating IP addresses, no amount of bad-behaviour IP blocking will help you with that.

Using WordPress to block IPs is grossly inefficient

If your site is really being hammered by a particular set of IPs, you deal with it at the server’s network layer, not on the application (WordPress) layer.  I also don’t even believe IP address blocking using Apache (.htaccess) is viable either.

You need to protect the server itself from suspicious activity, and you or your host can do this at the server level. You can of course use a service like CloudFlare which uses crowed-sourced data to identify suspicious activity to your website (before it even touches your server).

Note: IP White Listing is not the same as IP Black Listing

IP White listing is not the same as black listing because the scale is much smaller.  When you white list an IP for a very specific task, you identify a single node, for a single function/resource.

For example, you could add your (static) IP address to your .htaccess file for accessing your WordPress wp-login.php. That makes perfect sense, though not if your site has hundreds of users.

Identifying particular nodes as being authorized for particular server access makes good security sense, when those resources that are being accessed are accessed by small, limited number of nodes.

How To Protect Against The WordPress Misinformation Virus?

Simple. Accept you can’t be an expert in everything, but question the validity and source of the information and advice you receive.

We can’t know everything about everything, but we can get educated about where our information comes from. Before we start giving advice and spreading information, we just need to be informed and actually understand what we’re saying.

When you recommend a plugin, state why you recommend it, and if you feel you can’t do that, that’s okay! All the more encouragement to learn the reason why.

Warm and fuzzy good-feelings from a brand is a not a good enough reason to advise fellow WordPress administrators… it’s time we educated ourselves and our community better.

Spread The Cure!

If you believe the MisInformation Virus is a serious concern, please share this with others you know, on Twitter or Facebook, or in your community WordPress forums and groups.

Prevention is better than cure! 🙂

[image credit]

Join the discussion 35 Comments

  • Gary Gordon says:

    Paul .. thanks for the informative and important article. I have also found that many server and hosting administrators tend to use the geo-location IP blocking as a preferred method when wanting to build a wall of protection from unwanted and potentially malicious visitors, etc.

    I do hope many people read your article and at least come to the understanding that .. we all need more “good” and “qualified” information and less of what you called the “misinformation virus” of information on the subject of security.

    Thanks,
    Gary

    View Comment
    • Paul G. says:

      Hey Gary!

      Thanks for sharing your thoughts on this.

      The geo-location approach is a common one, but really not practical and actually not altogether reliable in the first place.

      The real fix to this problem is the dissemination of information in a responsible manner, instead of spreading of ideas and opinions on what just feels right/nice/warm fuzzy.

      Thanks again for dropping by and leaving a comment with us! 🙂
      Cheers,
      Paul.

      View Comment
  • Keith Davis says:

    Hi Paul and thanks for putting together an article that makes people think.

    I’m not an expert on WordPress security and that’s why I use your plugin and various other measures to help secure / protect my sites.

    If I could I’d whitelist my IP but I don’t have a dedicated IP – guess I should look into fixing that.

    I’ve thought a lot about going with managed hosting for protection and backups and I’m still looking at that approach.

    View Comment
    • Paul G. says:

      Hey Keith,

      Regarding managed hosting for security – I’m not convinced that this is needed. If you’re site is high-profile and you’re like to be the target of some directed, malicious attacks, perhaps yes.

      But WordPress security is all about making sure you’ve battened down the hatches against high volume, broad-scale attacks. You ensure your site flies under the radar effectively and is passed over by most of those styles of attacks that target the weakest in the herd.

      This plugin with all feature enabled + something like cloudflare and you’re pretty safe!

      Thanks for the comment!
      Paul.

      View Comment
  • Patrick says:

    One common misconception I see all the time is the practice of removing your WP version from the source code, which is about as useful as a chocolate teapot.

    An automated attack doesn’t scan the code of your site to see which WP version you are using, it just tries all known exploits. Even with the version number removed there are still plenty of ways to tell which WP version is being used, so in the end you are just blocking other web designers from seeing the WP version.

    And why hide it unless you are using an outdated/vulnerable version in the first place?

    View Comment
    • Paul G. says:

      Hi Patrick,

      I completely agree – this is another security practice that is touted everywhere, as if by some luck hackers aren’t going to try and exploit you just because they don’t know what little number your WordPress is reporting.

      It’s “security through obscurity” which is an misnomer in itself and is yet another example of an idea that escapes into the wild and becomes a “truth” through broad-scale non-rejection.

      Thanks for the example! 🙂
      Paul.

      View Comment
  • Mark W says:

    Agree with all of your comments Paul. I got caught out with this, and I should have known better. I used one of the very popular security plugins which appeared to be comprehensive. I used it everywhere, until a site was hacked by a group in Tunisia. The popular security plugin did not detect anything, and yet the site was defaced. I was (unrealistically) expecting more from it.
    Anyone that gets locked out of their site by accident knows that you just need to reset the router, you will get a new IP address and can then login with the correct details.

    However what would be more useful in terms of an article is to describe the principles behind your plugin, what it is doing and why it is doing it rather than focusing on the negative aspects of what everyone else is doing. You are not going to change the world in this forum. But for those that are following you, a better understanding of things you can do to protect your site, and common methods used by hackers would be more positive and higher value.

    View Comment
    • Paul G. says:

      Hi Mark,

      Well said… you’re absolutely right that we can definitely do a lot more to share much more of our thinking behind what goes into the plugin. We can do this both on a (semi-)technical level, and explain the principles. Some of our previous articles go into details, but in the way in which you suggest.

      I’ll definitely try to do more like this and hopefully give a much better insight into the workings of the plugin.

      Thank you for taking the time to comment and share your thoughts.
      Paul.

      View Comment
      • Kath C says:

        Hi … first of all … how do I know I can trust you? lol … I’m punting on this and reading with a side eye … but … you seem to make a lot of sense from the relative security noob I am … having said that a recent attack on my hosting server left all of my sites dead … a massive pr issue for my little business … I have learnt A LOT but finding the right information was so hard. This plugin so far seems to be working for me although I am completely self taught with web and wordpress so I have no choice but to rely on the honesty of plugin developers and I find the fact that you make yourself so accessible to be a positive sign I might be on the right learning track … thankyou for that … I am still so very timid to use certain functions in security plugins … I have locked myself out a couple of times and used plugins that I’m sure I was using wrong that I then had to recover from … this IP thing has puzzled me too … I know locking out dynamic addresses is impossible and that hackers aren’t that slow at picking up on the ways people use to fight them … I’m sure someone put my details on a hack forum or something as I came under attack from everywhere … I fought them off for two weeks before they got into my control panel and deleted everything from the public server … luckily they left my databases … which I have learned to reconnect to a new install BUT the learning curve from then on when it came to making my sites tight that has been just as big a journey as actually fixing the sites up again … (I’m still rebuilding) … expect to receive lots of questions from here lol … sometimes, for the user like myself, I need a little more explanation about what the impacts of turning on certain features could be accross the site when using complementary plugins … at the moment I am relying on this plugin plus another one (which has some additional useful features as well as a great interface for checklisting the security and actioning the tasks for someone who is learning or new to WP security) …

        When I got hacked … I felt really quite ashamed … like I had no business doing this business when I could have this happen (there was also an issue with my backup not working) … I have no real time mentor, so I find them where I find them … reading this was somewhat comforting and warm and fuzzy but no in the way you were discussing … in that, I feel more inclinded to not feel so alone with my patchy knowledge, and that there are developers out there who are so very interested in sharing and helping designers like me to create beautiful visions … I came into we through visual design, not IT or development, but I love it soooo much, I like making things work and fixing things when they break. I have a passion for visual communication and presentation … and I have to protect these visions from those that like to break things for fun or for practice … cause boy – there was NOTHING to gain from hacking me … nothing …

        thanks … I’ll continue to watch this forum with a ‘side eye’ 🙂

        View Comment
  • Diane B says:

    I have to commend you a fine article and want to add a few other lessons I learned the hard way here.
    Some security programs infiltrate your root core just like a virus, I went thru 2 of the most popular ones before find your plug in and all kinds of problems that ended up unfixable by my previous host.
    The 2nd one that I think is really outdated for WordPress by now, is the address of Admin to a new account. As a newbie I didn’t know that was a quick way for hackers to get into your site and was promptly hacked. I had to read that in a self help book to change it immediately when it should have been something WordPress tells you.
    I really like Simple Firewall and have Sucuri with and have not had any problems. Both programs seem to compliment each other well and don’t change root files to do it.

    View Comment
    • Paul G. says:

      Hi Diane,

      Your comment highlights much as the previous commenter, Mark, said about us doing more to highlight what we can and should do to secure our sites. The WordPress Simple Firewall can’t do certain things for you because we refuse to edit core files.

      I’m going to draw up a useful list of topics to write about to help us achieve the things we need to do to better secure our sites.

      Thanks for your comments and sharing your experiences!
      Paul.

      View Comment
  • Dave Franzw says:

    Relevant article, Paul. I’ve been in and out, up and down the security avenue and have come to many of the same conclusions, the primary being that it’s impossible to know it all. Besides, once you do, someone upgrades things and changes what you knew.

    Warm and fuzzy is ok as long as you’re not banking the farm on it.

    Thanks for your input.
    Dave

    View Comment
  • Chris says:

    The miss information mostly seems to come from people running WordPress that haven’t taken the the time to truly understand it.

    I mean, I run an MMORPG and I use WordPress + Woocommerce. I use a custom nginx server that I list on one of my sites, http://zionwp.com/zionx-web-server/

    On http://boi-infinity.com which is a website that is more prone to being hacked than any typical business wordpress powered site. Mainly because players also run VPS accounts all over the world that constantly try to find insecure scripts to inject, or they just like to try and hack the site for whatever reason.. Sadly, You can’t hack it.

    As I mentioned above, I use the custom nginx server, W3 Total Cache. Disk enhanced for pages, xcache for objects and db cause xcache 4 is just fast. I don’t use minify in W3 Total cache, Instead I use Autoptimize plugin using just css and js minification. Obviously I use WooCommerce and a few addons for it but the main security comes from these 3 plugins..

    https://wordpress.org/plugins/wordfence/ The best security plugin I’ve ever found! I have tried them all.. WordFence automaticly blocks bot attacks, or hack attempts that we get from butheads who use VPS servers from all over the world to try and hack us, hack wordpress or our site.

    https://wordpress.org/plugins/wp-ban/ I use this to ban IP’s from multiple sign ups, plus it allows me to block various problem forums by just adding *thatspamforum.com and so on.

    https://wordpress.org/plugins/stealth-login-page/ changes your admin page.

    Bottom line, I’ve spent more than enough time working on the optimization, but we have a donation shop with Woocommerce so I needed a bulletproof setup!

    You are free to try and hack if you like. Your visit won’t last long..

    View Comment
  • Thnx so much Paul for this article.

    All is true to the letter.

    Verify, verify, verify. Trust and safety is built on this solid concept, especially for admins!
    Ciao!
    Lis

    View Comment
  • Martin says:

    Hi Paul,
    Thanks for a wonderful plugin! I must say I immediately realized that your plugin does what it is suppose to do the day I installed it. I am very happy with it. Thanks for the hard work and also for this article.
    I just want to ask your advise on white-listing static IP addresses. (I am the only user on my website and I normally use 1 of 3 static IP addresses) Is there any security loopholes by white-listing IP addresses? (referring to your comment in the article, “For example, you could add your (static) IP address to your .htaccess file for accessing your WordPress site. That makes perfect sense, though not if your site has hundreds of users”. The reason I ask; I am worried that, if I white-list my static IP addresses, that my Security plugins might allow somebody that is faking my IP address access into my site. Does Security plugins normally bypass Firewall security when an IP address is white-listed?
    Again, thanks for this great plugin Paul
    Cheers
    Martin

    View Comment
    • Paul G. says:

      Hi Martin,

      In the case of white listing IP address, this may open you up to problems if your web hosting server doesn’t report the correct IP address of the visitor. If somehow this is compromised, then yes, a visitor could “pretend” to be from your IP address.

      The likelihood of this is incredibly small though since its nature is more complex. WordPress security starts with closing the most obvious holes in your environment and ensuring that logged-in users and administrators have been correctly validated and are entirely legitimate. This will stop by far and away the largest majority of potential problems.

      The minority of remaining threats will come down to poor security practices, mis-configured web hosts and servers, and direct, concentrated attacks on *you* in particular.

      The role of this plugin is to ensure that your WordPress site is sured-up against the majority of threats you’re likely to face.

      I hope that helps.
      Paul

      View Comment
  • Nick says:

    Well Said Paul, it’s funny that the same people that jump to these misimformation fixes are usually people that are very “worried because WP always gets hacked” . Yet these same worried people are often the ones that are scared to update their site and plugins because they think their site will break. More people should be on the proactive backups and autoupdate bandwagon

    View Comment
  • CreationP says:

    Hello again Paul.

    I left you a comment also on wordpress support with the same nickname.

    I read the article and I found it extremely well written and comprehensible by non-security people. I am a penetration tester as a profession and I also believe that perma banning ip addresses, let alone geo-location banning, is pointless.

    On the other hand, using a plugin that will ban an ip address for 30+- mins after 3,4,5 failed attempts will, in the end, provide such a huge barrier to someone trying to brute force you for the fun of it (because 90% of hacking happens for the hell of it rather than acquiring something of value). If I create another obstacle between me and the hacker that would be a bonus for me. The same if I remove that wordpress meta version as many wannabes use online cms finders to tell what cms you are running and then launch attacks.

    In short, every well calculating security obstacle that will not make your website unusable by yourself or your visitors is welcome to have even if it is the most minor one. So, banning ip address for a short amount of time is not completely useless.

    View Comment
  • Neil Beattie says:

    I have myself over designed & coded a web application firewall. It is not a WordPress plugin; it is server level and protects any sort of PHP web site using a framework aware rule based system. It does not use blacklisting and I agree that shared distributed IP address blacklists are not good; at least in my own experience.

    My firewall blocks based on its own experience of remote systems making undesirable requests. Being server level, it shares knowledge between sites. A block on one site can instantly block to all sites on the same server (even multiple servers), either temporarily or permanently. We often see attackers try a combination of apparently innocuous things such as probes, as well as clearly malicious things. By blocking sooner, we potentially stop them being successful with an infiltration that we might not have otherwise detected, maybe because we have not seen such an attack before. The only unique bit of information that can achieve that with is the IP address.

    After millions of requests on multiple servers with a huge variety of site frameworks (WordPress, Magento, Drupal, Joomla, Larvel, Yii, Symfony, etc), it works very well. Our server loading has dropped considerably, from our logs we know that we are not incorrectly blocking anyone.

    Blocking by IP address also does not have to be slow if it is done in a way that leverages database & memory caching technologies. With some task off-loading it is possible to build a profile of ‘bad’ IP addresses, such as those from bad crawlers.

    Currently our servers check most requests within 10ms including processing all the rules and complete with database persistence & logging.

    Blocking by IP address for at least a period of time is extremely beneficial. Many of the attackers & bad crawlers we see *are* repeat offenders from the same IP addresses, rarely using proxy services, and often repeating over many months. Over a period of a few hours we will often see the same remote IP address repetitively try the same attack on the same (yes, same attack and same site!) and on multiple sites, but we already blocked them with their initial requests on first site. Then later on they often try a different attack but they are still blocked.

    Within that 10ms we also do some blocking using GeoIP and our logs contain the data to prove it is useful. Sure, some sites can leverage GeoIP blocking better than others. We block China from most sites because of the huge crawling activity from there, but we do allow China to access some sites that want that.

    We stop blocked requests getting to the framework, so we find a huge reduction in loading by blocking requests earlier. Previously when using security plugins we still had heavy loading from the framework run-up. We no longer see any loading from brute force attacks and have to check our firewall logs to spot them. Our firewall will catch *any* PHP request before it gets to any script execution within the site, which is a failing of most if not all security plugins.

    I do think security plugins such as WordPress Simple Firewall provide very useful features and I encourage WordPress site owners to install a good plugin, but site owners shouldn’t be fooled into thinking a framework specific firewall plugin is capable of blocking all possible attacks, because that is not the case.

    View Comment
    • To start — I’m an enthusiastic user of Simple Firewall.

      But…

      I’m also interested in, and agree with, Neal Beattie’s comment above. About once a day my little Mac Mini server gets crushed with a single-IP attacker who just bangs away on a site. Simple Firewall definitely reduces the load on the server, but eventually msSQL slowly caves and the only solution is to put a single-IP blocking rule in the firewall (and restart mySQL).

      Neal, if you’re listening, I’d love to hear more about your application firewall if it’s made its way to market.

      Bye for now, my box just got its “morning attack” and I need to go put the block in.

      View Comment
      • Back again. Here’s a snippet of the log that I saw when I logged into that box:

        sap.org 162.144.39.67 – – [16/Jul/2015:10:12:20 -0500] “POST /wp-login.php HTTP/1.0” 500 3066 “-” “-”
        sap.org 162.144.39.67 – – [16/Jul/2015:10:12:20 -0500] “POST /wp-login.php HTTP/1.0” 500 3066 “-” “-”
        sap.org 162.144.39.67 – – [16/Jul/2015:10:12:20 -0500] “POST /wp-login.php HTTP/1.0” 500 3066 “-” “-”
        sap.org 162.144.39.67 – – [16/Jul/2015:10:12:22 -0500] “POST /wp-login.php HTTP/1.0” 500 3066 “-” “-”
        sap.org 162.144.39.67 – – [16/Jul/2015:10:12:22 -0500] “POST /wp-login.php HTTP/1.0” 500 3066 “-” “-”
        sap.org 162.144.39.67 – – [16/Jul/2015:10:12:22 -0500] “POST /wp-login.php HTTP/1.0” 500 3066 “-” “-”
        sap.org 162.144.39.67 – – [16/Jul/2015:10:12:23 -0500] “POST /wp-login.php HTTP/1.0” 500 3066 “-” “-”
        sap.org 162.144.39.67 – – [16/Jul/2015:10:12:23 -0500] “POST /wp-login.php HTTP/1.0” 500 3066 “-” “-”

        that SAP.ORG site is one of about a dozen that I’m running on that little server and the Simple Firewall is configured to block brute-force attacks. But this attack seems to be at a lower level than Simple Firewall can detect and thus the server starts delivering “unable to connect to database” errors on all sites.

        Any thoughts about what to do about this kind of an attack?

        View Comment
      • Neil Beattie says:

        Hi Mike, sorry haven’t been here for a while and just thought I would catchup with latest comments. You are getting a very common brute force login, noting that they are not even bothering to provide a referer to the POST.

        A simple .htaccess rule can block these (check if path is wp-login, check if has referer, return a 403/404 if not), although some attackers do use refers so this rule does not work for them.

        The problem with these attacks is that because they pass through the WP framework and any security plugins, they can cause extreme server loading. In fact, I did some tests on a colleagues server comparing various security plugins that they use and nearly all the sites with security plugins had higher loadings than the sites without plugins, even if the wp-login.php was renamed and didn’t exist.

        The problem was particularly bad with attacks that sent multiple requests at the same time. I’m not sure if WordPress Simple Security was one of the installed plugins, but WordFence was and that was by far the worst loading from an attack.

        That is why we decided against using plugins; it was essential for us that no request would even get to the site framework. Some plugins are very active on stopping brute force logins, but with secure passwords the login wouldn’t ever succeed anyway. For us, it was more important to reduce the server loading with these brute force attempts, so our firewall rules use various mechanisms to stop the login request before it even hits WP.

        Interestingly, what we’ve found is that by robustly blocking these brute force attempts, including intelligent throttling & rate limiting, over time we get significantly less attacks. Our servers are just not very tempting for attackers to go for. On colleague servers without our firewall but which do have WP security plugins, the attacks continuously occur often with many an hour every hour and at times their server loadings are significant even from just a single site attack.

        We are considering releasing our SiteSentinel firewall to market. It is a more complex product to install than a plugin, although once running there is almost zero management required and no site changes are required.

        I do still recommend plugins like WordPress Simple Security, they can provide useful framework level security, but I believe they should be fronted by a server level firewall, be that on the server itself or through a CDN or similar.

        View Comment
  • Gail says:

    Hello Paul,

    Thank you for your wonderful plugin. I like it so much. It was easy to set up and seems very thorough to me, plus it doesn’t lock me out like another one I had did on a daily basis.

    I would appreciate it very much if you’d reply to Martin’s question of April 20th above as it has me wondering also:

    “…I am worried that, if I white-list my static IP addresses, that my Security plugins might allow somebody that is faking my IP address access into my site. Does (sic) Security plugins normally bypass Firewall security when an IP address is white-listed?”

    Thank you,
    Gail

    View Comment
  • Fouad says:

    Hi,
    Important article. I agree totally. I started with blocking IPs, and later I canceled that for the reasons that you mentioned in your article.
    Thanks

    View Comment
  • Fiona says:

    Hi Paul,

    Thank you for the informative article! I’ve been doing a lot of research before, and have met with different suggestions like IP blocking, hide WP / PHP version, change login page URL, stop XMLRPC etc.

    And as a layman of WP security, I can’t tell which suggestion is correct and have no time to research them, so that’s why I just use them all. I think that’s the main issue here, most of us didn’t have the knowledge to tell right from wrong, so in the hope of some of it will work, we implement them all. That sounds desperate, right?

    But thanks to you and this article, I can begin to understand why IP blocking is not an ideal security measure. Eager to read more!

    Also, your article reminds me of a question in mind for a long time:

    If the admin doesn’t have the server side security skills to prevent attacks like you mentioned in the article, should he/she use self host server (such as AWS) or a managed host? Or it doesn’t matter as long as CloudFlare is used?

    View Comment
    • Paul G. says:

      Hi Fiona,

      If you don’t have the server management skills, I would recommend either making use of a really good web host who knows what they’re doing, or hire someone to do it for you. Cheap hosts, with poor security principles and bad server management will likely let you down badly in the long run.

      CloudFlare cannot protect you against poorly managed hosting…

      Thanks!
      Paul.

      View Comment
  • Fiona says:

    Hi Paul,

    Thank you for your advise, I would definitely take that into consideration. Right now I’m using Simple Firewall plugin + CloudFlare on my AWS self host server to prevent the attacks, hoping someday my boss will start to see the importance of security and give me some budget to switch to a good web host…(sigh)

    And may I suggest, I think it would be great to have a web host check list (what security services should they provide etc.) to help determine a good web host.

    Thanks 🙂

    View Comment
  • george says:

    Hi Paul, thanks for your post, though on the lengthy side. I think this problem is a direct fall out of the internet where any junk can be package as information. We may be very concerned about misinformation as it affects the security plugin in particular, but I bet there is a lot of misinformation floating around the net. Some even packaged as paid products for sale to gullible persons.

    I believe it is incumbent on every webmaster to endeavor to check and cross-check their source of information before dishing it out for public consumption. We can only achieve this noble objective if informed people like you alert us.

    Thanks very much for your concern.

    View Comment
  • Bob Schecter says:

    Nah – this makes too much sense. It’ll never fly.

    View Comment
  • Aleks says:

    Hi Paul,

    Great article, we have seen lots of this when testing out security plugins from various sources & read article about … oh you must do this and that etc.

    I must say, since we have been using your plugins on a trial over the last month, we have become educated in areas that we never thought existed in WP security, it’s been such a great help.

    We have since removed all 3rd party plugins from all our WordPress sites and only use your plugins.

    AK

    View Comment

Leave a Reply