(Even more) WordPress login rate-limiting

Posted April 10th, 2012 in Tales From the Support Team, Tech Corner. Tags: , .

Lots of people (and lots of our customers) use WordPress to run their Web sites. This unfortunately means that lots of “hackers” also try to guess the passwords of those sites.

That’s a problem, so we’ve had WordPress login “rate limiting” in place for a long time. When a single IP address tries loading the WordPress “wp-login.php” script many more times than a human would, we temporarily block that IP address from accessing the “wp-login.php” page until the requests stop for a while.

This works pretty well: we’ve blocked literally millions of password attempts this way. However, last week one of our customers had his site hijacked by someone who did indeed simply guess his WordPress password.

Part of this was unfortunately the customer’s responsibility for choosing a weak password — he chose a common dictionary word beginning with the letter “a” that could be easily guessed. In fact, it only took the hackers a few dozen tries to guess it. However, we were still surprised that they succeeded, since the rate limiting usually blocks this.

A detailed investigation revealed that these hackers were smarter than average. Instead of trying lots of passwords all at once, they tried them fairly slowly, making about one attempt every 20 minutes over several days.

To thwart this, we’ve made our rate limiting more strict — it “remembers” login attempts for a longer period, for example, and we now limit some IP addresses if they try as few as 12 login attempts per day. That still shouldn’t affect most human users, but just to make sure that’s not a problem, we’ve also added a feature that lets humans reset the rate limiting. You’ll see this option on the error page that rate-limited requests get redirected to if it ever happens to you.

As always, don’t hesitate to contact us if you have any problems or questions related to this.

3 Comments

  1. on Tuesday, April 10, 2012 at 7:09 pm (Pacific) Lance Knobel wrote:

    Thanks, Tigertech.

    One simple way to make things harder for hackers on WP sites is to change the default admin username from “admin”. Then hackers need to figure out both the username and the password.

  2. on Friday, April 13, 2012 at 9:55 am (Pacific) Robert Mathews wrote:

    Yep, Lance, you’re absolutely right — and we should probably make clear that because of that, we only rate limit attempts to login using username “admin”, since that’s the username that “hackers” try to guess the password of.

  3. on Wednesday, April 25, 2012 at 12:39 pm (Pacific) Robert Mathews wrote:

    As a followup to this, we’ve since seen evidence that “hackers” are loading URLs like this to discover possible different WordPress administrator usernames:

    http://www.example.com/?author=1
    http://www.example.com/?author=2
    http://www.example.com/?author=3

    And once they have a few likely usernames, they’re using the same “try to guess the password” tricks.

    To combat this, we now use WordPress login rate limiting for all usernames, not just “admin”.

  1. Recent Posts

    1. PHP versions 8.2.17 and 8.3.4
    2. President’s Day 2024 holiday hours
    3. PHP versions 8.1.27 and 8.2.15
    4. Martin Luther King, Jr. Day 2024 holiday hours
    5. New Year’s 2024 Holiday Hours
    6. Christmas 2023 Holiday Hours
    7. Brief scheduled maintenance December 16-17, 2023
    8. Thanksgiving 2023 Holiday Hours
    9. PHP versions 8.1.25 and 8.2.12
    10. PHP versions 8.1.24 and 8.2.11

  2. Categories

  3. Tags

    all servers email holiday hours linux mailman maintenance mod_security mysql network php phpmyadmin security server updates spam ssl status updates webmail wordpress zapp

  4. Feeds