WordPress is an open and free Content Management System (CMS) used by more than top 10 million websites as of 2016.
Robots crawl WordPress sites looking for the wp-admin login page. Once internet robots find it, they attack the site in the simplest way possible – by continually hammering at the login page until they get in. The bot cycles through common passwords, obscure passwords and everything in between. It takes longer for the bot to gain access depending on the complexity of the username and password. So, the first step in website security is arming yourself with secure login information. These brute-force attacks eat up server memory and cause problems with performance and one solution to this widespread problem is to hide the important WordPress directory by concealing it and making it un-readable to internet bots.
Hide the WP-ADMIN folder, the WordPress login folder
At Zenman, they included WordPress login page obfuscation to our standard security package. We’re giving our clients another tool to fight against internet bots and giving internet bots a harder time hacking into sites.
They took advantage of cookie setting and the URL rewriting powers of the .htaccess file blocking all access going directly to the wp-admin folder. In a separate folder at the root of the site, named a random string of characters, a few lines of php code tells the server to set a cookie whenever you visit this separate folder in the site. Then a couple rules in the site’s .htaccess folder based around the cookie value set in the separate folder. The rules say, “If the cookie is set, rewrite the URL when you visit that random string of characters folder to visit the wp-admin folder.”
This way, you can access the wp-admin login page through a side, more concealed, door rather than going to the login page directly.
Brute Force Attacks
Unlike hacks that focus on vulnerabilities in software, a Brute Force Attack aims at being the simplest kind of method to gain access to a site: it tries usernames and passwords, over and over again, until it gets in. Often deemed ‘inelegant’, they can be very successful when people use passwords like ‘123456’ and usernames like ‘admin.’
They are, in short, an attack on the weakest link in any website’s security: You. Due to the nature of these attacks, you may find your server’s memory goes through the roof, causing performance problems. This is because the number of http requests (that is the number of times someone visits your site) is so high that servers run out of memory.
This plugin available at the WordPress marketplace is very useful to help stop Brute Force attacks on your site.
Cross-Site Scripting attacks on WordPress
XSS as its name suggests “Cross-Site Scripting”. Previous versions of WordPress were vulnerable to this type of attack which was very hard to recover. In this type of attack, a malicious script is inserted into user website to extract the private information of users such as Admin user password, important file information etc. With the help of some plugins you can secure your WordPress website. Some of them are
Ninja Firewall: is a web application for your WordPress website that rejects the malicious script automatically.
Bulletproof Security: is a plugin used to protect your WordPress website from CSRF, XSS, and SQL Injections etc.
Word Fence: will secure your website by implementing two-factor authentication and will scan all possible brute force attacks and their signatures. Wordfence will also blog IPs, will alert you of suspicious activity and check your website for updates. Wordfence is a very complete tool that will help you keep your website more secure. They have a service that helps you identify every attack and clean up after each attempt. The service goes for around U$D 99 a year.