Tag Archives: captcha

Hack Attack 2014!

Screen Shot 2014 12 03 at 11 14 07 AM

So, per a previous blog post on security, this is why you don’t use an obvious username. If you look at the number of emails in my inbox, there are 316. There were actually over 400. The night before, there were 18. Each email represents 4 attempts to force break one of the sites I host so that’s around 1600 attempts to guess the password.

The site in question has a math captcha, so this really shouldn’t be happening at all. I guess someone found a way to nullify the WordPress math captcha I paid $8 for: these things happen. On the other hand: basic security does the trick here. The username they are trying to hack is the wrong one. They are basing it off of the URL: the username they are trying is the URL…

It seems they have the wrong username. I'm not going to give them any help figuring it out!
It seems they have the wrong username. I’m not going to give them any help figuring it out!

Guess what, that’s not the actual user name! So even if they somehow stumbled across the right password, they would have to have the right username and, in this case:

1. It has nothing to do with the name of the site.

2. It’s not admin, administrator, webmaster, or any conventional user name.

So- they won’t be able to hack the site this way no matter how hard they try. To summarize, use basic security precautions: nonstandard username, strong password, and set profile so name of avatar on posts is not the same as the username. On a multi-user site, give each user only the access privileges they actually need and no more. Do these things, and all will be well even if people try to hack you (as they did here)

It was a pain to delete the 400 email notifications- but that’s part of the trade I guess, and why people get paid money to host! Other people anyway- the clients still haven’t paid. That’s ok though- I altered the site to reflect that and it makes me feel better!


A basic primer on security for WordPress, update on current projects

So, this little experiment is still going fairly well. So far, there’s another wordpress site that went up, here. It’s a musician site for Nashville-based songwriter Lisa Carver. Very basic, using the WordPress spun theme. The design might shift with feedback from the client. I’m reminded thought that even the best design is useless unless there is content and the site is maintained. There’s a section for upcoming shows, but unless information on the upcoming shows is actually in there, there’s no point in even having it. Maintaining a website on even a basic level is work. It’s not much work, but it does take a little bit of doing.

Which is why I’d like to continue the adventure by talking about WordPress security. My friend Greg taught me most of what I know about coding when I took a free class he taught (information about that here if you are interested in learning some about basic PHP, HTML, mySQL, and C#) He also taught some about basic WordPress security. I followed at least some of it, and it definitely helped. Most of it is common sense, but it’s crazy how often it is disregarded. And it’s come into play already, as people already have tried to hack this site many times.

A friend of mine told me that WordPress had a bad rap for security. From what I’ve seen so far, that’s basically undeserved, but: I can see how if you didn’t take basic precautions during the install, you could leave yourself open. For example, during the installation of WordPress, it has a checkbox for “limit login attempts.” This means that if someone has a program or script that will repeatedly try to log in using different passwords, after a certain number of tries (I think the default is 8) they will lock them out for 20 minutes. If this happens 4 times from the same IP they’ll lock them out for a day.

So if someone who doesn’t know what they are doing unchecks that box, the site is wide open to this kind of hacking. But the box is checked by default. When I tightened up the security on this site, I reduced the number of failed login attempts to 4, and put a 24 hour lockout after I think 2 times. You can do that. And people still try to hack the site.

This person attempted to hack the "admin" username. Which doesn't actually exist!
This person attempted to hack the “admin” username. Which doesn’t actually exist!

See the image. This has been happening a lot. There’s something you can do to eliminate that completely, which I will talk about later, but there’s something else I’d like to mention.

If the “Limit Login Attempts” plugin is active, you’ll get a notification email like the one above every time someone tries to hack you. There’s some actions you can take. For one, you can go into cPanel (what I used to install WordPress) and block the IP- the problem with that is hackers usually aren’t trying to hack from their own IP- they’re doing it through another computer they’ve already compromised. So that won’t actually stop it. I’d like to point out though the username they are trying to hack: admin.

My administrate username is not admin. You should never never never use “admin” as a username. The username/password combination is what keeps your site safe, if you use “admin” you’re giving them half the battle. By trying to hack “admin” they’re targeting people who aren’t taking basic precautions. Don’t be that person.

The other username I’ve seen them try to hack is “akeythatshouldnotbeused.” Again, a good guess, it’s the name of the site, and also the author name on the posts. However, WordPress allows you to set it so that the name of the author displayed on the posts is different from the username of that author. Do this! If you do that, hackers will have nothing visible to indicate what your username might be and will be starting from zero.

Third thing is to use a strong password. Pretty basic, and WordPress forces you to use a password of a certain strength, but here’s a basic rule of thumb. Don’t use your name or birthday. Use at least 10 characters. Use letters and numbers with at least one capital letter, at least one symbol, and at least one special character. Also, WordPress allows spaces (something a lot of passwords don’t) so I’d do that to.

So, for example, here’s a weak username password combination for a person named Jane Doe. Let’s say she’s 34:

username: admin
password: password

(don’t EVER use “password as a password. that’s the first thing they try)

let’s say jane has a boxer named Prometheus. this would be a pretty decent username/password combo

username: janedoe
password: prometheusthedog
or this would be even better:
username: prometheusthedog
password: 0891EnajEod!

In this case, her password is her birth year backwords, her name backwords with the last letter capitalized, and an exclamation point, and her username is not her name (in case she’s being hacked by someone who knows who she is. That’s pretty strong, and would be very easy to remember, and very hard to guess even by someone who knew her very well. If you changed the order of the birth year and her name and used some other character than an exclamation point or substituted a number for letters of her name or used spaces, it would be nearly impossible to guess that kind of password even by someone who read this article and knew it was created using that method. Finally, here’s an alternative, very unorthodox philosophy for passwords that is also strong:

username: prometheus
password: I Am Jane Doe And I Am Awesome!

This is a sentence, very easily rememberable to Jane. Note a few things though, all of which make it harder for a script to hack: 1. The length.  2. The presence of capital letters. 3. The presence of spaces. 4. Special characters.

If you have login attempts limited and are using a strong password, your odds of being hacked in this way are almost nil. They drop even more if you use a Captcha. BWS sells a math Captcha for I think about ten bucks. I am not using it on this site yet, but I use it on all my clients sites, and it eliminates this kind of attempt completely. Eventually someone will write a program that sidesteps that, but it seems to work good for now.

So to recap, here’s the basic WordPress security steps:

On install:

1. Make sure “limit login attempts” box remains checked.

2. Use a username other than “admin” that is not your own name.

3. Use a strong password.

4. Change the name of the database to something other than the default (I didn’t talk about this, but it’s the same deal. If you use a naming convention other than the default it makes it harder to hack)

5. Change your author profile so the publically shown name is different from the username.

6. Shell out ten bucks for a Captcha.

That’s it. Do that and your site will be pretty darn secure.