Wordpress Security Question

boyfalldown

boyfalldown

Suspended / Banned
Messages
17,486
Name
Hugh
Edit My Images
No
I've always used the limit login attempts plugin for wordpress. It logs access attempts with user names as well. Most of the time the user attempted is 'admin' which doesn't worry me as I changed this when set ing WP. I've noticed a few times lately that the correct user name has been attempted instead. Any ideas how they find this. I hide wp-config one level up from my home page so its outside of my public HTML folder and has permissions of 600 anyway so I don't see they could have accessed the database through this. Any suggestions?
 
Are you able to view your apache access/error logs?
Do you any sFTP/SSH logs?

Might give you a clue...
 
I assume the user name isn't something that could have just been guessed at from the site content? I mean, for example, I have had them try various combinations of the business name, and words like 'camera' and 'wedding' and 'photograph' as user names none of which come close but can see why they would be tried.

Will be watching this thread, interesting to see if there are better ways to make such things secure.
 
afasoas said:
Are you able to view your apache access/error logs?
Do you any sFTP/SSH logs?

Might give you a clue...
Click to expand...

It might, but it going to be very hard to track them back

Yv said:
I assume the user name isn't something that could have just been guessed at from the site content? I mean, for example, I have had them try various combinations of the business name, and words like 'camera' and 'wedding' and 'photograph' as user names none of which come close but can see why they would be tried.

Will be watching this thread, interesting to see if there are better ways to make such things secure.
Click to expand...

no, its a pretty random name. Not one I use on forums either ;) I thought it was fairly secure, especially with hiding wp-config but there must be another way to access the database
 
boyfalldown said:
It might, but it going to be very hard to track them back
Click to expand...

It's not a case of tracking them back, but determining how that information was compromised. There are a number of possible vectors and some of them would show up in your logs.

I'd suggest re-securing the site as a precaution.
1) Refresh your WP salts - I've never done this but I suspect care would need to be taken.
2) Creating a new WP user/deleting an old one
3) Change the wp db name/wp user/wp user password.
4) Change the db root user password
5) Change sFTP/SSH passwords
6) Change email passwords

Are you using TLS to connect to your Wordpress dashboard?
 
afasoas said:
It's not a case of tracking them back, but determining how that information was compromised. There are a number of possible vectors and some of them would show up in your logs.

I'd suggest re-securing the site as a precaution.
1) Refresh your WP salts - I've never done this but I suspect care would need to be taken.
2) Creating a new WP user/deleting an old one
3) Change the wp db name/wp user/wp user password.
4) Change the db root user password
5) Change sFTP/SSH passwords
6) Change email passwords

Are you using TLS to connect to your Wordpress dashboard?
Click to expand...


all of these have been done. I'd just like to know how on earth the find out the user name.changing it seems a little pointless if you can't work out why it happened in the first place
 
Okay, based on my limited experience and growing interest in website security, I think that
If the username is not used anywhere else than the only possibilities are:

1) key logger or screen grab on a machine from which you have accessed your wordpress site
2) packets captured when you have logged into a session, and if encrypted, deciphered
3) wordpress config file compromised by someone who has accessed the box
4) database server accessed and queried for the username directly
5) compromised email server - when a user is activated on wordpress then an email is sent to them with their credentials
6) compromised email account (it is possible to reset a lost WP password using email address - I'm not sure whether the email sent to the "owner" of the lost password gives the actual username)
7) a successful guess by an attacker

It is possible (although inconvenient) to defeat rate limiting in order to orchestrate a brute force attack by using botnets and a quick search suggests this isn't uncommon with attackers targeting Wordpress.

If there has been some sort of compromise in order for an attacker to harvest the username, your only evidence will be a log file somewhere. It is a needle/haystack scenario.

Is this your own hosting environment or a VPS? It's a good idea to ensure the operating system is fully patched and up to date. Also, to disable SSL3.
 
My hunch would be that the response to an incorrect username/pw is different to the response to a non-existent username/pw, so it's easy for bots to keep on trying till they get at one that actually exists.

I once got hacked, and I think it was because I signed up at a dodgy site with same username/pw that I use elsewhere. So they copied it then profiled me. Ever since I've wondered how many registration-requiring sites there are in all sorts of verticals that use your login to profile you and hack the stuff that really matters.

Just curious, but do you have any analytics functionality in your admin sections that let you click and visit links. In other scripts I've seen, the admin directory name is also the login name, and clicking on analytics functionality actually shows this full path as an entry.
 
nass said:
My hunch would be that the response to an incorrect username/pw is different to the response to a non-existent username/pw, so it's easy for bots to keep on trying till they get at one that actually exists.
.
Click to expand...

They shouldn't be able to. Limit login attempts prevents just this.


nass said:
I once got hacked, and I think it was because I signed up at a dodgy site with same username/pw that I use elsewhere. So they copied it then profiled me. Ever since I've wondered how many registration-requiring sites there are in all sorts of verticals that use your login to profile you and hack the stuff that really matters.

Just curious, but do you have any analytics functionality in your admin sections that let you click and visit links. In other scripts I've seen, the admin directory name is also the login name, and clicking on analytics functionality actually shows this full path as an entry.
Click to expand...

Thats quite an interesting thought about the analytics. The shouldn't be able to profile me from dodgy sites though. I use a different username/password for each site that matters
 
nass said:
I once got hacked, and I think it was because I signed up at a dodgy site with same username/pw that I use elsewhere. So they copied it then profiled me. Ever since I've wondered how many registration-requiring sites there are in all sorts of verticals that use your login to profile you and hack the stuff that really matters.
Click to expand...

I'd suggest it is okay using the same simpler password for websites that you use that don't collect critical personal information, including forums such as this. Then use differing, more complex passwords only when you need them - email accounts, bank accounts, amazon, ebay, iCloud etc.


boyfalldown said:
They shouldn't be able to. Limit login attempts prevents just this.
Click to expand...

As I explained earlier, rate limiting is based on IP address and it is possible to circumvent.
 
afasoas said:
As I explained earlier, rate limiting is based on IP address and it is possible to circumvent.
Click to expand...


Did you? Oh. I'm also pretty sure I was aware of that to :). Exactly why I don't bother barring IP addresses
 
boyfalldown said:
They shouldn't be able to. Limit login attempts prevents just this.
Click to expand...

boyfalldown said:
Did you? Oh. I'm also pretty sure I was aware of that to :). Exactly why I don't bother barring IP addresses
Click to expand...


I'm confused.

If there are botnets out there targeting your instance of Wordpress, it should be apparent in your apache/lightpd access logs, if not in the plug-in you are using to rate limit/block IP addresses for failed log-ins.
 
afasoas said:
I'm confused.

If there are botnets out there targeting your instance of Wordpress, it should be apparent in your apache/lightpd access logs, if not in the plug-in you are using to rate limit/block IP addresses for failed log-ins.
Click to expand...


I guess it's easily done. The limit login attemps plugin does exactly what it says on the tin. And creates a log which is how I know there is an issue :)

My question is very simple, and was in the first post, how do they find the correct username when wp-config is secured as I described, & how do I stop it?
 
http://www.woothemes.com/2013/09/improve-your-wordpress-security-with-these-10-tips/

"
5. Hide your username from the author archive URL
Another way an attacker can potentially gain access to your username is via the author archive pages on your site.
By default WordPress displays your username in the URL of your author archive page. e.g. if your username is joebloggs, your author archive page would be something like http://yoursite.com/author/joebloggs
This is less than ideal, for the same reasons explained above for the “admin” username, so it’s a good idea to hide this by changing the user_nicename entry in your database, as described here."


Note to self: another reason not to use WP.
 
I can see how this confusion has arisen. "Limit log-in attempts" could work in a number of ways and I doubt I've used the plug-in that you are using.

How does it restrict log-in attempts? Does it stop someone from a given IP from making further attempts at logging in once they have had so many goes? Or does it prevent a given user account from logging in for a period of time?
 
nass said:
http://www.woothemes.com/2013/09/improve-your-wordpress-security-with-these-10-tips/

"
5. Hide your username from the author archive URL
Another way an attacker can potentially gain access to your username is via the author archive pages on your site.
By default WordPress displays your username in the URL of your author archive page. e.g. if your username is joebloggs, your author archive page would be something like http://yoursite.com/author/joebloggs
This is less than ideal, for the same reasons explained above for the “admin” username, so it’s a good idea to hide this by changing the user_nicename entry in your database, as described here."


Note to self: another reason not to use WP.
Click to expand...

Thats really useful. Thank you.

afasoas said:
I can see how this confusion has arisen. "Limit log-in attempts" could work in a number of ways and I doubt I've used the plug-in that you are using.

How does it restrict log-in attempts? Does it stop someone from a given IP from making further attempts at logging in once they have had so many goes? Or does it prevent a given user account from logging in for a period of time?
Click to expand...

It restricts IP addresses based on the number of attempts made from that address
 
I've had a quick crawl of the site (assuming it's the one in your signature) and I can't find any links to archives or author pages.
Without a link spelling out username, a webcrawler/bot would have to guess it anyway. It's possible that a web crawler has done exactly that.

That said, I have a fairly vanilla Wordpress instance here and http://wordpressinstance/authors/myusername and http://wordpressinstance/archives/myusername don't work.

Unfortunately I can't give it much more time/attention just now.

boyfalldown said:
My question is very simple, and was in the first post, how do they find the correct username when wp-config is secured as I described, & how do I stop it?
Click to expand...

The only person who truly knows is the culprit. The next best person to find out is you.
 
Have you had a look at this plugin for Wordpress >> https://wordpress.org/plugins/better-wp-security/

I run a wordpress website for a local club and get about 50 attempted logins to my ACP each week, no-one else has access to it except me. the plugin does a pretty good job of hiding various files wp-config etc etc if you choose from prying eyes. Also because of the hassle it would cause me if it was hacked I use a 4 word phrase for the username, sometime more sometimes less. It usually consists of some local slang words or very old Scottish words. As most hackers seem to originate from abroad guessing the username would be hard for them, password is a similar method.

I know changing username/password now and again is a pain in the bum but its the only way you'll keep them out
 
frank said:
Have you had a look at this plugin for Wordpress >> https://wordpress.org/plugins/better-wp-security/

I know changing username/password now and again is a pain in the bum but its the only way you'll keep them out
Click to expand...

+1 for the plugin.

As for renewing the password - if it's not used anywhere else and never disclosed, then there's no need to change it.
It's a bit like buying a lottery ticket - your odds of winning are the same whether you use the same numbers each week or pick new ones. Better to have a longer complex password that you don't change instead of a shorter one that you do change.
 
You must log in or register to reply here.
Back
Top