[someexgamedev]

I set up a WordPress site for a family member a couple years ago and threw wordfence on there just to see what the ecosystem is like. I get near daily alerts of attempted hacks mostly from Eastern Europe. Most common thing is trying to brute force the login page.

Any improvements to WordPress security are welcome. It's got such a huge target painted on its back. Reminds me of windows in the 90s.

As for what I learned, I would move the admin login page and disable common usernames like admin and anything derived from the site url. Probably stop 90% of attacks just with that.

[nileshk]

If you have enough control of the server it resides on, one of the best things you can do is to deny it access to write to the PHP files of the Wordpress install (which requires that you use WP-CLI via command line to do updates), and setup automatic updates by calling WP-CLI through a cron job or however you want to automate that.

When a Wordpress install has write access to its own PHP files, then a vulnerability can do more harm obviously since it can modify the Wordpress install itself and thus more easily "infect" the installation. Denying write access cuts off many attacks from doing significant harm. BTW WP-CLI can also do checksums of your install.

I wouldn't fret too much about seeing attempted hack attempts. If you have enough logging turned on for a public web server, you'll see a constant stream of hack attempts for all types of languages / frameworks. I did this the other day and saw what I recognized as a variety of different attacks targeted at PHP, Rails, and Java.

Regarding usernames: note that Wordpress will, by default, expose those usernames in things like posts (author's username is revealed). I had to modify my theme to make that stop, and even then I'm not 100% sure it's not leaking somewhere I missed. Maybe you want to do all content editing with a user that has reduced privileges and only use your admin user when necessary.

[mr__y]

> I'm not 100% sure it's not leaking somewhere I missed

have you checked the REST endpoint?, namely site.tld/wp-json/wp/v2/users

By default all user names are exposed that way.

[hannob]

> I get near daily alerts of attempted hacks mostly from Eastern Europe.

Everything you put on the Internet gets daily attempted attacks. The issue is... nobody should care about attempted attacks. Of course people will try to bruteforce your passwords. If you have any kind of software that warns you about these attacking attempts that's not helpful at all. What you want is to make these attacks do nothing. In case of bruteforce attempts it's clear how to do that: don't use insecure or reused passwords.

[frereubu]

This plugin allows you to rename the login page - https://wordpress.org/plugins/rename-wp-login/. It says untested with the last three versions of WordPress, but we use it on all our sites and have had no issues. It also doesn't redirect non-logged-in requests for /wp-admin/ to the login URL like the standard setup, so it doesn't make the new login URL available in any way. We were experiencing server slowdowns because of brute force attacks and this plugin really helped.

The best thing to do after that is to set up an .htaccess rule to return a 401 Forbidden error for /wp-login.php, because even with the plugin above the request is processed by PHP, which can still slow things down depending on the intensity of the attack.

This is obviously just security through obscurity, and you need other security measures in place too. Having said that, I find plugins like WordFence are overkill and often confusing, although we build WP sites from scratch so we control a lot of that side of things ourselves, and use a WP-focused hosting service which takes care of the other things like server-level security.

[rograndom]

Do not use that plugin. It has a unintentional back door where you can just bypass it completely and get the login screen. All of the forked plugins that are based on it, that I have seen, have the same issue.

Plus, since it's more than 3 versions old, many of the security plugins will flag it. If it's your site, that's fine. If you have set a site up for someone else, it's hard to explain that it's ok to use this plugin.

[frereubu]

Can you give me more detail than "unintentional back door"? I'm obviously interested, but it's difficult to know what to do without more of a pointer on what the issue is.

Edit: Found this - https://github.com/ellatrix/rename-wp-login/issues/27 - and can reproduce that behaviour, so I'm going to start looking for something new, or potentially taking over that plugin.

Edit 2: This seems to be a maintained fork that is in active development and covers the issues on the original abandoned GitHub repo - https://wordpress.org/plugins/wps-hide-login/

[mr__y]

Could you recommend some real[0] WP-focused providers? Since the company I work for has several WP websites with relatively high traffic we've been looking for such providers, tested some but ended with having some VPSes to have the ability to set them up properly. Since those servers are self-managed this is obviously a sub-optimal solution as we have to maintain them, so a reliable hosting provider would be great.

[0] "real" as opposed to provider that has a great WP-related pitch but in-reality this is just a regular shared hosting with no actual wordpress oriented optimization/enhancements.

[frereubu]

We've been using a VPS-1 on Pagely for a few years now, and are generally very happy with the service. They take away the management of Ubuntu and security hardening etc, but give you control where you need it such as SSH access - I've written a few bash scripts that use WP-CLI to make it easier to manage multiple sites. We've had one or two small issues, but all fixed quickly, and nothing of the sort that made us start looking elsewhere. You sometimes have to be persistent with first-line support, but things generally get escalated appropriately if necessary.

The one real gripe I have is that they rewrote their control panel as an SPA, and I think it's made it much less usable. It's difficult to do things like open a link in a new window, and state doesn't always remain or update in the right way - for example, you can lengthen and sort a list, go to an item, use the back button and you have to lengthen and sort the list again. However, I don't use that control panel enough to make it a serious time drag, and they're apparently writing an API which should cover most of my use cases.

[avian]

I have a mostly static website that's not powered by WordPress in any way, yet my logs are full of requests for wp-login.php and such. Attempted attacks against WordPress are just the normal background radiation of the web these days.

[zigzaggy]

That’s good info, thanks. I just happen to be looking into WP security right now.

Would you recommend wordfence in addition to the changes you mentioned?

[kabes]

I'm really happy with ninjafirewall. Here's a comparison: https://translate.googleusercontent.com/translate_c?depth=1&...

[xenospn]

I highly recommend wordfence. I have it set to immediately block anyone after a single failed login attempt.

[HNthrow22]

to offer a counter opinion I found wordfence highly obtrusive, annoying and full of dark patterns in an attempt to upsell you to premium. They present in their dashboard ALL attacks within their entire network as if those were attacks on your site in particular which is misleading. If the project permits the best practice is to convert the site into fully static HTML (WP2Static, SimplyStatic) and keep the backend site/database separate and local only.

[onion2k]

So if I know the username of someone who admins your website I could shut them out with a single POST request? Seems a bit risky.

[xenospn]

It's a small site. Not a concern.

[kijin]

It's fairly resource-intensive, though. I've seen whole servers brought to their knees because of plugins like WordFence -- an unintentional DoS, so to speak. Many of the defenses employed by WordFence would be orders of magnitude more efficient if implemented at the level of the http daemon or firewall. Unfortunately, WordPress plugins must cater to the lowest common denominator, shared hosting.

[xenospn]

If what you’re dealing with is thousands of attempted brute force attacks on a daily or weekly basis, a wordpress plugin might not be the solution.

[kijin]

Sure, but you don't know that until the attacks actually begin, and anyone can attack any site for any reason these days. Meanwhile, most people who run WordPress sites don't know how to do anything more complicated than installing a plugin. Being a developer who caters to that market has its own charms and challenges.

[apple4ever]

I really like WP-Cerber: https://wordpress.org/plugins/wp-cerber/