The Linux Page

I see many login attempts on my Wordpress website, yet I'm the only user?!

This happens on all websites. It's not specific to Wordpress.

However, this is when hackers are trying to gain access to your website. They do two or three things. First they choose common user names such as "admin" or your .com name (i.e. I have https://stargazerrock.com/ and they used "stargazerrock" as the username!) I saw "administrator" as well.

One way to protect your administrator account immediately is to change your username to something that they are not likely to guess. Say your surname is "giraffe", you could use that. Or even better, something like "giraffe32". The display name is different so it should not matter what your username is.

Now, to really help you with protecting your Wordpress website, you want to install a plugin that will block many hackers from penetrating your site. I choose this one:

All In One WP Security

The module has a long list of entries that you can go through and turn on various firewall like feature. It will block hackers quickly. Actually, if you ask me, 50% of what that module does should be in Wordpress core. But who am I to say that security matters?!

First Make Backups

If you want to be safe, the module offers you a way to make a backup of your wp-config.php and your .htaccess files. On my end I have scripts that automatically do that so I'm good, but if you don't have such, that's a good idea, just to make sure. The module can also be used to restore those files if you could not use the website anymore. That being said, if you get a WSoD... (White Screen of Death) then you probably won't be able to restore anything through the site. You'll have to use your SFTP or SSH access in that case.

Making a full backup (if you have that capability) is even better.

Turn On Main Features

First you want to go to the Dashboard and turn on main features from there. I strongly suggest you turn on at least:

  • Admin Username
  • Login Lockdown
  • Basic Firewall

By scrolling down far enough you should see those 3 options.

When on the Dashboard, you also get some stats. There is one for my website after insalling this plugin just a few hours ago:

Number of temporarily locked out IP addresses: 368

You are being probed continuously too! (Looking at it 13 days later, I'm at 637 blocked IPs...)

Change Your Username

If you used admin or some such username, you will be asked to change early on. There is a setting in this module to do just that! You can also go to your account and change your name there.

This is one of the main thing you want to do. If you use an easy to figure out login name, then hackers will find it and that's 50% of the search of your credentials (which is why I don't understand why systems such as Facebook use your email address as your username. Anyone who has your email address only has to find your password to log in your Facebook account!)

Setup Login Lockdown

With the Login Lockdown feature turned ON, you can define settings to prevent such attempts on your website.

There are several checkboxes. Make sure to have this one checked:

Check this if you want to enable the login lockdown feature and apply the settings below

I did not turn on the Allow Unlock Request. I don't think there is any reason to do that unless you have a large user base. Also if you have such you can keep the lock down really low (like 30 min.)

Next I changed the duration of the lockdown. As I mentioned, I'm the only user on that website so I don't really care if someone else can log in or not. And since I have access to the database, I can unlock myself if required.

Time Length of Lockout (min)

I put this value to a number over 10,000 (without the comma.) This means the hackers won't be able to access my system for another week. When they find your username, you must change it. Until then they waste their time AND YOUR BANDWIDTH. That's one very good reason to block them.

The duration will make it nearly impossible for them to guess your username and password since it will be so slow for them to try again. That being said, between IPv4 and IPv6 we can have billions of IP addresses and hackers have access to many computers. Each one checking one possibility... and it's still possible for them to access your computer. Now, it's not all hackers who have access to that many servers.

As I was at it, I also included a few usernames in this field:

Instantly Lockout Specific Usernames

I really don't need anyone to test with "admin", "administrator", or as shown above "stargazerrock". So banning those hackers immediately saves me some bandwidth quickly.

Make sure to check this field too:

Instantly Lockout Invalid Usernames

Otherwise the names in the Instant Lockout will be ignored.

Finally, to make sure that it works, use the Notify by Email. If you already saw such hits in your Apache logs, that should give you a quick set of emails about the blocks. If you're like me, though, you won't want to keep that on because you're going to get hundreds of blocks and thus hundreds of emails. That would be a terrible waste of bandwidth!

Under that first area, there is a way to enter a list of IP that you do not want to block. It is smart to enter your IP address there. If you do not have a static IP address, it won't serve you much, though.

Enter Whitelisted IP Addresses

As with the Instant Lock, you have to check the checkbox above otherwise it will be ignored.

Personally, I do not use the other features. However, if you have many users, you could enter a number of minutes after which they are auto-logged out if they don't use the system. The default in Wordpress is days... (Force Logout tab)

Note: I do not allow registration and I have the reCAPTCHA from Google so I could have that on the resitration page anyway. But if you do allow registrations, make sure to propertly protect that page as well!

Turn On The Apache Firewall

This is called a Firewall even though it's not going to use the OS firewall... it will just block certain URLs and other unwanted stuff when they attempt to access your site. It's done by Apache so it won't even reach the Wordpress PHP code.

This firewall is used, for example, to completely block access to the wp-config.php file with a 403 (Forbidden) HTTP error code. Too bad we cannot return a 404. That way some systems may think we're not running a Wordpress system! Oh well...

I turned on quite a few things. Again this is mainly for my system, although many of those things are quite useful for any system that runs Apache.

  • Tab: Basic Firewall Rules
    • Enable Basic Firewall Protection
    • Completely Block Access To XMLRPC
    • Block Access to debug.log File
  • Tab: Additional Firewall Rules
    • Disable Index Views
    • Disable Trace and Track
    • Forbid Proxy Comment Posting
    • Deny Bad Query Strings
    • Enable Advanced Character String Filter
  • Tab: 6G Blacklist Firewall Rules
    • Enable 6G Firewall Protection (this includes 5G so no need for both)
  • Tab: Internet Bot
    • I did not use this one, I have had problems with such and it's not a big deal (such bots don't attempt to log in, although they may be gathering information to do so at a later date...)
  • Tab: Prevent Hotlink
    • If you are really limited in bandwidth, turn this one on. But it actually gives you juice (unless the linking comes from a really bad website...)
  • Tab: 404 Detection
    • Enable 404 IP Detection and Lockout (unless you are limited in Database capacity)
  • Tab: Custom Rules
    • Nothing selected.

I like to see the 404 because that can tell me what hackers are trying to access and thus what to add to better protect my system.

From what I've seen, there is some overlap between various options, but better safe than sorry. It won't slow down things that much because most of these are handled by Apache and a few repeated rules won't hurt too much. The large number of IP addresses in your database is more likely to be a concern once you locked down millions of IPs...

In regard to the XML-RPC, chances are you're not going to use that feature at all. But if you encounter any problems, interfacing with other tools, apps, and websites, blocking this is probably what the problem is. Unfortunately, with Wordpress here we block that URL instead of NOT putting it in the <head> tag. A bit sad if you ask me (we should do both instead: do a 404 and not put it anywhere such as the <head> or HTTP Link: ... field. Oh well.)

Note that once a hacker gets blocked, the IP address is available and you could grab it with fail2ban. I use that under several Linux computers and it blocks all accesses directly from the firewall. It's marvellous because it really stops as much waste of your bandwidth as it can.