blue lock

My New Blog is Immensely Popular! (or I’ve been hacked)

Personally, I think this is hilarious. I only set up WordPress a few days ago. There were no posts, no pages, no… nothing.

But, when I check the access logs, I see the tell-tale signs that someone — more likely something (aka. a botnet) — has already attempted to hack my blog.

See here in this excerpt from the access log…

Various IP addresses from all over the world

Various IP addresses from all over the world

The login attempts happened during a 90 minute period starting around midnight. There were 184 attempts spread across 52 IP addresses.

(Determined by running cat access.log | grep wp-login | grep -v my-ip-address | sed 's/^\([0-9.]*\)\(.*\)$/\1/' | uniq | wc -l)

These IP addresses correspond to diverse geographical locations (e.g. Ukraine, Russia, Spain, Chile, Brazil, Colombia). Probably not my dozens of fans across the ocean… desperately trying to read my empty blog in the wee hours of morning.

I had already taken steps to secure the blog (loosely based on advice here). This included adding a login attempt rate limiter (But this particular plugin only works by IP address… so it’s only somewhat effective against a distributed attack).

As an added measure, I chose to create separate accounts for admin and authoring… it’s the same principle as having a root user for infrequent power usage and a limited user for frequent, non-privileged work. Furthermore, the admin account is not named ‘admin’. My hope is that this makes guessing the admin login and password a little more difficult.

Having said that, I admit I’m a total noob with PHP and WordPress. So it’s very likely that dozens of attack vectors remain lurking in the shadows and unbeknownst to me. And if there’s some way to list all accounts then I haven’t really added much in the way of security.

With that in mind, I went ahead and added two-factor authentication via Google Authenticator to be extra cautious. It’s super easy to use and I highly recommend it.

My next security task is to look into the mysterious POST attempts to wp-cron.php. My first instinct is to simply block all such traffic unless it comes from whitelisted IPs.

By the way, welcome to my blog. :)