By Gary Nugent

WordPress Hacked

Over the last few weeks, I’ve seen the number of hacking attempts on my sites increase. I get literally hundreds, if not thousands, of alerts from my sites letting me know about Brute Force Attacks, most of which involve someone firing numerous login attempts at my WordPress blogs in the hopes they’ll get access.

While no website can be 100% secure, webmasters can do a lot to mitigate these types of attack. I get these alerts because I’ve installed WordPress security plugins on my sites (and on my clients’ sites) which block this type of attack. Here’s the kind of email I get all too regularly:

Hack Alert Example

Another Hack Alert Example

The above alerts show a couple of things:

  1. That the “admin” username is a very bad choice for any blog as it’s the first username a hacker will try. Many webmasters still use it by default though!
  2. The IP address from where the attack originated.
  3. The time and date of the attack.
  4. The user agent used (these can be spoofed).

When you get hundreds and thousands of these messages, it’s easy to spot which IP addresses that most attacks originate from and then you can have a security plugin block those IP addresses.

Having done that with my own blogs, I found that attacks from blocked IP addresses were still getting through. I contacted my webhost at the time (Hostnine) to get clarification on why that was happening. I never really got any feedback on why or how the attacks were still getting through, though maybe that’s a question better sent to the plugin developers.

I highlighted IP addresses and as two of the main culprits to  Hostnine who reviewed their logs to confirm that they were sources of Bruce Force Attacks. If I was getting attacks from these IP addresses, it was almost certain that other sites on their servers were being hit as well. And other webmasters may not secure their blogs to the level I do. I asked Hostnine to globally block these two IP addresses to protect their customer and they have now updated their fleet-wide firewall rules, preventing further attacks from these IP addresses.

It’s important to have security plugins installed and correctly configured. It’s a pain to find your Inbox flooded with hack attack alerts but it’s one way to identify IP addresses that are consistent offenders. You can then manually block IP addresses by entering them into your security plugins.

If you don’t use security plugins, or your site isn’t built on WordPress, you can still block attacks by editing the .htaccess file.

Put these lines at the top of the file:

Order Deny,Allow
deny from <ip address>

…replacing <ip address> with an offending ip address; e.g. :

Order Deny,Allow
deny from

You can add as many deny from lines as you need, each with its own IP address.

Of course, you do need to get the email alerts to know that your site is under attack. And that’s another reason to use security plugins.

These attacks also have an impact on how your site performs. They’re not as insidious as DDoS attacks (Distributed Denial of Service) attacks where tens of thousands of computers try to access your site at one time, overloading the server and knocking your site offline, but they are a lighter form of it. The more these attempts are made to access your site, the slower or more difficult real visitors will find it to access your site.

I’m reviewing a new WordPress security suite that I’ll be adding by default to my own sites and to future sites I build for clients. This suite blocks the kinds of attack that don’t come though the front door (i.e. through login pages).

wp-site-guardian-boxIn case you want to get this for your own WordPress blogs
Hackers are constantly probing WordPress code and the code for plugins for weaknesses they can exploit to get access to blogs, hijack them and use them to their own end. While a blog can be maliciously defaced by a hacker, a more insidious use for a hacked blog is to inject malware onto a visitor’s PC or for the blog to be used in other nefarious ways.

Don’t ever dismiss securing your blogs as something to worry about later. By then it will be too late. You’ve invested time, energy, money and other resources in building your blog. Don’t see it wiped out because you think security is too hard, too time consuming or that your site just won’t get hit.


Tagged with:

Filed under: WordPress Security