WordPress is under attack! Watch it! Password Protect it!

What? What do you mean? There’s already a password. Yes, you need to log in when you want to put up a new blog post or do maintenance of some sort. However, that doesn’t mean that you can’t have an additional layer of protection. Not only can you have it, WordPress actually recommends it here: https://codex.wordpress.org/Brute_Force_Attacks

I looked in my nginx access log and I saw a bunch of messages that looked like this:

95.219.148.136 - - [16/Nov/2017:06:34:33 -0800] "GET /wp-login.php HTTP/1.1" 402 195 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1"
95.219.148.136 - - [16/Nov/2017:06:34:34 -0800] "GET / HTTP/1.1" 200 21587 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1"
202.152.71.21 - - [16/Nov/2017:06:40:48 -0800] "GET /wp-login.php HTTP/1.1" 402 195 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1"
202.152.71.21 - - [16/Nov/2017:06:40:49 -0800] "GET / HTTP/1.1" 200 21589 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1"
177.221.4.36 - - [16/Nov/2017:06:55:42 -0800] "GET /wp-login.php HTTP/1.1" 402 195 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1"
177.221.4.36 - - [16/Nov/2017:06:55:42 -0800] "GET / HTTP/1.1" 200 21589 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1"

After doing some investigation, it appeard to be the sathurbot attacking my blogsite. It’s some sort of distributed piece of malware that attacks poorly maintained or blogs with weak passwords. The malware tries to attack the wp-login and something else. You can read more about it here: https://www.welivesecurity.com/2017/04/06/sathurbot-distributed-wordpress-password-attack/.

The first thing I did to counter this issue was configure Cloudflare to under attack mode. This gives the client a short delay when connecting to your site so that can’t get to the file. This should stop the entries in the log completely, immediately. Since I don’t want users to see the delay all of the time, I decided after the attacks slowed to have nginx password protect the file so that when trying to request it, nginx will ask for a password as well. This way, you’ll need to authenticate twice to get into WordPress, but it’s okay. The extra trouble gives me peace of mind that I’ll less likely be attacked.

With nginx, I did it this way:

location ^~ /wp-login.php {
 auth_basic "Administrator Login";
 auth_basic_user_file /etc/nginx/conf.d/.htpasswd;
 include fastcgi.conf;
 fastcgi_intercept_errors on;
 fastcgi_pass php-wphandler;
 fastcgi_buffers 16 16k;
 fastcgi_buffer_size 32k;
}

The .htpasswd is a hashed file. You can create it with the htpasswd command that comes with the apache2-utils package. The file would look something like this:

alton:$@AFSADF$SDFapr1$yDoxiXVW$aFe

Now in my logs, I get 401 messages instead of 402 messages.

172.68.242.50 - - [29/Nov/2017:09:36:50 -0800] "GET /wp-login.php HTTP/1.1" 401 195 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1" "134.196.23.66"
172.68.246.96 - - [29/Nov/2017:09:45:48 -0800] "GET /wp-login.php HTTP/1.1" 401 195 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1" "193.93.187.11"
162.158.91.51 - - [29/Nov/2017:09:49:22 -0800] "GET /wp-login.php HTTP/1.1" 401 195 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1" "93.172.55.76"
141.101.77.120 - - [29/Nov/2017:10:08:03 -0800] "GET /wp-login.php HTTP/1.1" 401 195 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1" "41.100.125.248"

I also know that they’re less likely to hack my site. 🙂

Happy blogging!

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.