I panicked quite a bit when I discovered someone had been repeatedly hitting
xmlrpc.php on my install of WordPress. I didn’t realize it was happening until my host alerted me that I was potentially going to exceed resources for the month.
I wasn’t sure what the cause of the overage was initially, so I had to rely on my host’s reporting and server logs. (Pouring through weeks of logs sucks, by the way.) My host’s reports showed me the files that were being reported most often. I then searched through logs to see which IP addresses were accessing them most often.
My first step in stopping the attack was to block offending IP addresses via
<Files *> # 'files *' applies to ALL files. order allow,deny allow from all deny from 18.104.22.168 deny from 22.214.171.124 deny from 126.96.36.199 deny from 188.8.131.52 # and so on... </Files>
Because I’m not using any apps to publish to my site, I removed
xmlrpc.php file from site’s root folder and replaced it with an empty file.
My next step was to install Better WP Security. It tracks failed login attempts and auto-blocks after a set number of failed attempts. It allows you to obfuscate the location of
/wp-login.php. It also walks you through a whole host of other recommended changes to better secure your installation. I’ve tried several other security plugins, and this was my favorite, by far.
Better WP Security emails you whenever there are too many failed login attempts using a particular user name. I deleted the ‘admin’ account long ago, and created a ‘cdharrison’ account instead. I started getting notices that several IPs were trying to login using ‘cdharrison’. (That freaked me out a bit, but was probably a little too predictable of me.) So, I created a new admin account, logged in as it, deleted ‘cdharrison’ and attributed all of the posts to the new account.
So… so far, so good. I’m not going to pretend my site’s completely invulnerable right now, but it’s in much better shape than it was. So, thank you random internet buttholes: Your attempts to compromise my site have made me consider security quite a bit more than I used to.
What’re you doing to keep your WordPress site secure? Have any best practices you’d share that isn’t covered in the Codex: Hardening WordPress?