Limiting automated hacks

wordpress

#1

Wordpress installs on Dreamhost should have a plugin which limits the number of attempts a user can access wordpress login. I’ve just started using a plugin called ‘limit login attempts’ or you should use the old standby ‘login lockdown’. Dreamhost installs without a plugin like these are subject to password crackers. When I installed a new WP site recently I forgot to install the login plugin and when I looked at a log file, I found 755 attempts at wp-login.php in a 5 minute span. The attempt failed, but use that as a warning to make sure you have one of these installed.

For more security info, see the wiki Harden Wordpress and also look at the wordpress site for hardening info Wordpress hardening wordpress

One last piece of advice: Have a strong password! the crackers have lists and libraries of common passwords, don’t use a first name or a dictionary word as your password, also replacing ‘a’ with ‘@’ does not slow the hackers down very much. :slight_smile:

Bill


#2

Sound advice. I find I am having to learn new tricks for this sort of thing on a regular basis. I guess hacker robots never sleep.


#3

Good stuff. That must be fairly new because I have several WP One-click installs that don’t have that plug-in. I’m going to look into that.
[hr]
I misread that… you said it should. I thought you said it did.


#4

Brian,

Wordpress on dreamhost gives you a blank canvas in a world of graffiti taggers. :slight_smile: At least here it’s cheaper and more flexible than other places, but PLEASE read how to harden wordpress on dreamhost or you may have a cleanup on aisle 5 at a very inopportune moment.

My elevator summary of the wiki is:

  1. Have a backup strategy that regularly takes backups, moves them offsite, and keeps old ones. (See plugin BackWPup or others). Hacks can go untouched for months, you may be backing up files that are corrupt and allow users to access your site in the future.
  2. UPDATE EVERYTHING ALL THE Time.
  3. Delete unused Themes and plugins, unused themes can be used to hack you even through your not using them
  4. Disable FTP and ENABLE SFTP; only use SSH to login if you need it.
  5. Pick a STRONG FTP password, and one for EVERY admin account.
  6. Learn about .htaccess, dreamhost apache log files so you can figure out who doing what on your site
  7. Only install plugins and themes that are automatically updated.

My $.02


#5

Thanks for the summary! I think I’m doing a pretty good job following those suggestions, except maybe 7 and 8. I just started digging into the apache logs yesterday and I’ve found the difference between what I see on google analytics and what’s really happening is STAGGERING.


#6

Yeah, the content stealer bots will be picked up by Google as they use javascript, but the ones trying to break in don’t - so they fly under the radar unless you take the time to review the logs manually.

domain.com/path/index.php++…++Result:+” type requests can be quickly discovered if stats is enabled, too.


#7

[quote=“kelly7552, post:1, topic:59279”]
Wordpress installs on Dreamhost should have a plugin which limits the number of attempts a user can access wordpress login. [/quote]

phpmyadmin, which is automatically linked to everyone’s database is also vulnerable to dictionary attacks due to the way its implemented here at DH. Get access to your database, then set a new password, and you’re in! Complete account compromised!

Tip: don’t use [font=courier]data.example.com[/font], or [font=courier]mysql.example.com[/font], or [font=courier]sql.example.com[/font], or something like that as your database subdomain. Use a long string of random letters and numbers because an adversary would have to get that right first before attempting a dictionary attack.


#8

It’s more fair to say “WordPress is a blank canvas…” Every plain install is the same really.

kelly7552’s summary is perfect :slight_smile: The only thing I’d add is this “Practice Safe Internet Habits”

All the protection in the world is wasted if you get a virus on your PC and it snipes your password. The one time I got hacked, that’s how. :confused:


#9

Bobocat,

Can phpmyadmin be disabled for a hosting plan? So in summary we need to pick really secure passwords for 1) Panel 2) mysql users and 3) mysql databases?


#10

You should always pick really secure passwords.


#11

Definitely. Security by obscurity has it’s place and shouldn’t be disregarded - especially if you can spare the time to chain a few methods together - but you just can’t beat a good strong unique password on every lock.

I’m guilty of reusing passwords. Bad practice. Shouldn’t do it.


#12

It’s possible, but not easy. The best way I’ve found is use a single subdomain for all DB access and make it obscure as possible (8-12 random characters) because it seems that DH’s automatic phpmyadmin backdoor won’t be useful if you don’t know the DB domain. Unfortunately, most people just name it [font=courier]mysql.example.com[/font], so for the vast majority of DBs on DH, it’s pretty easy to get a crack at a dictionary attack.

You can see further discussion here and here and here and here.

[quote=“kelly7552, post:9, topic:59279”]So in summary we need to pick really secure passwords for 1) Panel 2) mysql users and 3) mysql databases?
[/quote]

I’ve summarised my thoughts on DH passwords here.
[hr]

There’s a really easy way to reuse passwords safely. My technique is a bit more involved than this, but the idea in brief is to add unique salt to your password. You can do this safely by writing down the salt + obfuscating garbage. For example:

example.com       = pgd%i9@8$43q
mysql.example.com = hH7Ic#98eca*
email.example.com = Cvet%783te(t

In the above list, your obfuscating garbage may be the first 3 characters and last character, so you just ignore those. Then you just add it to your password. If your password is [font=courier]weakPassw0rd1[/font], then your unique salt + reusable password for [font=courier]example.com[/font] would be [font=courier]weakPassw0rd1%i9@8$43[/font]

You also don’t have to worry about an adversary finding your list of salt because you never write down a) the base password, b) the method of distinguishing between salt and obfuscating garbage, and c) your method of combining the base password and salt.

All you have to do is remember a, b, and c above, which is not hard to do, and you’re set. It also helps to have a system which can reproduce your salt in case you lose the list. If not, make sure you keep multiple up-to-date copies in multiple locations, perhaps under version control in at least two locations, because if you can’t regenerate the same salt and you lose your list, you’re screwed.

Note that the shortcut of just adding the name of the service, or an abbreviation thereof, to your reusable password is not advised. In the above example, [font=courier]weakPassw0rd1examcom[/font] is not good because you can not trust the service to store your password in an irrecoverable format (which DH itself used to be guilty of). If an adversary gains access to your password for one service, it’s too simple to guess what it would be for other services. Hence, the salt needs to be opaquely tied to the service by means of the list above.

If an adversary were to obtain both your list and an example of your password, then you would have a problem, but the likelihood should be small.


#13

sXi and Bobocat,

Thanks I’m working on improving my overall pw security and trying not to reuse. So my middle age brain means I need a password organizer. Any recommendations? I’m currently using Moxier Wallet on a Mac and it seems to do the job. Any other recommendations?

Bill


#14

I thought I just gave one above.


#15

It would be REALLY helpful if DH had as part of panel a password strength indicator, like with words like ‘strong’ or ‘easily hackable’ or ‘used by elderly on suitcase locks’.

Also should be used for mysql password selection, and mysql admin passwords.


#16

That’s easy: passwords < 12 characters from [font=courier][a-zA-Z0-9][/font] + symbols such as [font=courier]!@#$%^&*(){}?+|,.<>-_=/[][/font] are weak. Each additional character > 12 is an order of magnitude increase in strength. At least 15 is a good target to aim for.

This is a good tool for getting a realistic picture of how much entropy is encoded in your password.


#17

It was a suggestion for DH to nudge the vast unwashed user community to adopt better password strategies. When Wordpress installed the password strength indicator a lot of people became uneasy that their password was weak; since we are living in a potential world of co-mingled users raising the lowest ships might raise the water level for us all.


#18

We have one, actually! It shows up when you start entering a password into most (if not all) of the password fields in the panel, and it’s tuned to try and give an honest assessment of a password’s strength. Have a look for yourself and let me know what you think. :slight_smile:


#19

Andrew,

My appologies, one of the challenges of being a user since 2004 is things change and us old people don’t check before we sound off like crazy old men shouting :slight_smile:


#20

I’ve been affixing (still quite crappy) salts for the past year or so. Setting about 10-12 chars of password and adding salt both prefix’d and appended to pad it out a bit. For the stuff I really need to protect (read: client data) I do use password tools at 15+ chars and let them worry about it. The old ones are a bit of a concern tho, even if no one can really mess with anything important to me it would still be work to restore some of it and I probably should pull my finger out and go through them all one day.

lmao! tbh I think my grandma has stronger passwords on her lipstick containers than some of my old ones.

I’ve noticed it appear in Panel quite a bit. Good addition!