(Even more) WordPress login rate-limiting

Lots of people (and lots of our customers) use WordPress to run their Web sites. This unfortunately means that lots of “hackers” also try to guess the passwords of those sites.

That’s a problem, so we’ve had WordPress login “rate limiting” in place for a long time. When a single IP address tries loading the WordPress “wp-login.php” script many more times than a human would, we temporarily block that IP address from accessing the “wp-login.php” page until the requests stop for a while.

This works pretty well: we’ve blocked literally millions of password attempts this way. However, last week one of our customers had his site hijacked by someone who did indeed simply guess his WordPress password.

Part of this was unfortunately the customer’s responsibility for choosing a weak password — he chose a common dictionary word beginning with the letter “a” that could be easily guessed. In fact, it only took the hackers a few dozen tries to guess it. However, we were still surprised that they succeeded, since the rate limiting usually blocks this.

A detailed investigation revealed that these hackers were smarter than average. Instead of trying lots of passwords all at once, they tried them fairly slowly, making about one attempt every 20 minutes over several days.

To thwart this, we’ve made our rate limiting more strict — it “remembers” login attempts for a longer period, for example, and we now limit some IP addresses if they try as few as 12 login attempts per day. That still shouldn’t affect most human users, but just to make sure that’s not a problem, we’ve also added a feature that lets humans reset the rate limiting. You’ll see this option on the error page that rate-limited requests get redirected to if it ever happens to you.

As always, don’t hesitate to contact us if you have any problems or questions related to this.

3 Comments

  1. Thanks, Tigertech.

    One simple way to make things harder for hackers on WP sites is to change the default admin username from “admin”. Then hackers need to figure out both the username and the password.

  2. Yep, Lance, you’re absolutely right — and we should probably make clear that because of that, we only rate limit attempts to login using username “admin”, since that’s the username that “hackers” try to guess the password of.

  3. As a followup to this, we’ve since seen evidence that “hackers” are loading URLs like this to discover possible different WordPress administrator usernames:

    http://www.example.com/?author=1
    http://www.example.com/?author=2
    http://www.example.com/?author=3

    And once they have a few likely usernames, they’re using the same “try to guess the password” tricks.

    To combat this, we now use WordPress login rate limiting for all usernames, not just “admin”.