Brute force attack on one of my sites - this one is actually concerning.

[draggar]

While they went though the standard list of passwords the passwords this one actually had the CORRECT admin login (just not password).

When I make a site with WP the first thing I do is that I make another user (not too easy to figure out, either) and give them an admin role. Then, I log in as the new user and make the "admin" account "no role for this user". I also change the new user's display name to "admin". The site doesn't have many posts so I was able to check all the posts and all of them show "admin" as the login.

My system is clean, no viruses, etc. so the only way I can think of is if they got access to the actual database (complicated password)or somehow got an undetectable keylogger on my system (and if so, how come they don't have the password?).

This attack is also coming from the same IP address with other similar attacks on other sites - attempts ranging in the thousands of attempts.

Looks like I need to start changing admin logins as often as I change passwords now. Does anyone have an idea on how the script kiddie could have gotten the login itself (and how I can prevent this from happening again?)?

 

[tetrapak]

It might sound harsh, but if it's a site that brings considerable amount of money, or if it has good potential, then move it away from WP asap. I'm re-developing the few WP sites that are working well currently also. WP has way too many risks.

 

[draggar]

The site makes no money but I'm sure the attack was politically motivated (the site is highly political and controversial - it exposes a truth that a large # of people don't want out (not conspiracy theory, either) - also the same IP went after other political sites of mine). I do have other sites that are more controversial as well as profitable and much higher traffic but the brute force attempts always used the admin login (once in a while I get something really off key).

The admin login i also more secure than the average person's password so it also was not a lucky guess.

As for developing, I do not have the skills, time to learn, nor the money to fully develop any of my sites. Yes, I'm cutting back on domains AND slowing my registrations to a snail's pace so maybe later on I'll be able to but WP is great for CMS. I've sent WP some suggestions for better security (like allowing us during the config process to rename or move the WP-ADMIN folder).

 

[katherine]

WP doesn't lock down IP addresses after a number of failed login attempts ?

 

[draggar]

There is a plugin for that (login lockdown)- I thought I had it installed on this site but I didn't.

My main concern is how did they get the correct admin login?

 

[katherine]

You say the display name is 'admin' even though the underlying username is different. Are there some hyperlinks to the profile, that betray the actual username behind that display name ?
Perhaps if you check the HTML source code you will see more.
I thought you might want to have one user for posting, and another for administrative purposes strictly.

 

[draggar]

You say the display name is 'admin' even though the underlying username is different. Are there some hyperlinks to the profile, that betray the actual username behind that display name ?
Perhaps if you check the HTML source code you will see more.
I thought you might want to have one user for posting, and another for administrative purposes strictly.

You got it - wow that's sneaky. Yes, the real login is visible when you view the page source. I think this is a bug that needs to be reported to Wordpress.

Thank you!

 

[dcristo]

It still doesn't explain how they got the password though.

 

[draggar]

They didn't get the password - it was just a brute force attempt with the standard list of password attempts. They did not get into the site - I was wondering how they got the actual admin login.

Katherine posted a good suggestion, too, use one login for admin and the other for posting.