September 18, 2013

Block attacks on WordPress using iptables

Over the last few months, there has been a sustained attack on all WordPress powered sites across the world.

While WordPress is very powerful and one of the best CMS systems available, its popularity also makes it an easy target for hackers.

Rather than find exploits in the code, the current attack simply tries to guess the admin password by using a dictionary attack. This means that your website will run much slower as it has to handle many simultaneous attempts to login, using up resources.

These attacks are automated, coming from other hacked computers, so they are capable of generating hundreds of login attempts every minute.

Firstly, Elive recommends you make sure you are using a very strong password, using a combination of letters, numbers and characters like $,%,* etc.

Also, if your administrator login name is ‘admin’ , you should change this immediately, as the attack is based on guessing the password of the username ‘admin’

Lastly, if you have control over your own Server or VPS (or your hosting provider is willing to help) and are using IPTables as a firewall, then the following instructions will block the attack before it even reaches your webserver, keeping performance levels up.

Using Plesk: add this near the top of /usr/local/psa/var/modules/firewall/firewall-active.sh
(just after: /sbin/iptables -P INPUT DROP , is where we put it.)

/sbin/iptables -A INPUT -p tcp –dport 80 -m string –string “Log+In&testcookie=1” –algo kmp -j DROP

Then issue the command: /etc/init.d/psa-firewall restart
** If you use the Plesk GUI to edit the firewall rules, you will always need to re-apply this after using the GUI **

Using normal IPTables on CENTOS: Add this near the top of /etc/sysconfig/iptables
(before your other INPUT rules, we are assuming you know something about iptables)

-A INPUT -p tcp –dport 80 -m string –string “Log+In&testcookie=1” –algo kmp -j DROP

Then issue the command : service iptables reload

DISCLAIMER: Instructions above assume the user has sufficient knowledge to carry out the  changes and modify the commands to suit local setups. Elive are not responsible for any issues caused by this advice. If you are unsure, please enlist the aid of an expert.