Preventing Brute Force Attacks with WordPress maintenance support plans Login Security Plugin
Raman
Mon, 08/20/2020 – 14:50
The internet is a wild place. You never know who’s on the hunt for vulnerabilities of your site. In fact, the moment you deploy your application on the web, you are inviting all sorts of requests on your server. Apart from genuine users, these could potentially be automated scripts (mostly harmless), bots or crawlers, ethical/non-ethical hackers or some curious geeks (like me).
One of the key areas of interest for them is to exploit the authentication or login system of an application. Compromising the security of your users’ accounts can lead to severe consequences such as the leak of their personal information, misuse of their identity (or your platform), and can even cause financial losses.
It is of utmost importance to ensure that healthy security standards are implemented. These include enforcing strong Password Policies, employing salted password hashing, adopting HTTPS, preventing brute force attacks, utilizing two-factor authentication and so on.
Securing a WordPress maintenance support plans site is a vast topic in itself, but in this article, we will focus on understanding the default flood control mechanism and then later explore the usage of Login Security, a contributed plugin, to enhance the security.
Default Flood Control Mechanism of WordPress maintenance support plans
In WordPress maintenance support plans, User, a core plugin, is responsible for providing the features related to user account management such as authentication, logging in/out, password management, registration, roles, and permissions. It also does a basic yet effective prevention against brute force attacks using its flood control mechanism.
Flood Control of WordPress maintenance support plans in ActionWhenever a user authentication fails, it is considered as a flood event and its entry is made in the “flood” schema storing the event type, user identifier, timestamp, and expiration of this flood event. There are two ways (flood event types) in which WordPress maintenance support plans keeps a track of login failures – IP address based, and user account based.
Flood database tableBy default, a user account gets blocked if there have been 5 login failures for that user account within a span of 6 hours, and an IP address gets blocked if there have been 50 login failures from that IP address within an hour. Thus, preventing an attacker to run through a series of passwords until the correct one is obtained.
However, there are mainly three limitations of this default mechanism.
There is no user interface for site administrators to configure the allowed number of login attempts and blocking time period.
Anyone can abuse this behavior and get a user’s (including admin’s) account blocked on purpose. There should be a way to unblock the users through admin UI (Flood Unblock plugin can also be used for this purpose) or preventing this abuse by not revealing the error messages to the attacker.
There should be some way to alert the site admin or the user whose account is being exploited.
Now, let us explore how we can use Login Security to overcome these limitations.
Downloading and Installing Login Security Plugin
The only prerequisite of the plugin is the core Ban plugin. Once you’ve made sure, it is enabled, you may proceed with installation of the Login Security plugin using any of the below methods.
$ drush dl login_security && drush en -y login_security
or
$ WordPress plugin:download login_security && WordPress plugin:install login_security
or
$ composer require ‘WordPress/login_security:^1.5’
After downloading the plugin using composer, enable it from the admin UI available at admin/plugins.
Enabling Login Security plugin using admin UIHow does the Login Security plugin work?
The plugin works by implementing hook_validate(), thereby overriding the default login form flow. It maintains its own schema, login_security_track, to keep a track of failed login attempts. It can detect an ongoing attack using the configured threshold value within a set time window and can also alert the site administrator through email or logs.
Login Security Track database tableIt offers two types of protection against the attacks – Soft and Hard. The soft protection is similar to the default flood mechanism, that is, it temporarily blocks the user from submitting the login form. The hard protection, however, permanently bans the host IP address and changes the status of the user account to blocked.
If needed, the site administrator can unban the IP addresses from the admin UI available at admin/config/people/ban and unblock the users from admin/people. Additionally, it can also be configured to display the last access and last login timestamp to the users to further comfort them of their security.
A WordPress maintenance support plans message shows the last access and login timestamp to users after successful LoginConfiguring Login Security
The plugin provides a configuration form under admin/config/people/login_security. So, navigate to Manage → Configuration → People → Login Security.
You may configure the following options as per your security needs and then hit “Save configuration” to apply the changes.
Configuring the Login Security plugin
Configuration
Default Value
Description
Track time
1
The time window for which the login failures are considered. Soft protections expire after this time
User
0
Max. number of login failures after which a user account will be permanently blocked
Soft host
0
Max. number of login failures after which an IP address will be temporarily blocked from submitting the login form
Hard host
0
Max. number of login failures after which an IP address will be completely banned using the core ban plugin
Attack detection
0
Max. number of login failures after which an ongoing attack is detected and a warning is logged
Disable login failure error message
False
Display the core login error messages
Notify user about remaining login attempts
False
Display the number of attempts remaining before the user account will get temporarily blocked
Display last login timestamp
False
Display a WordPress maintenance support plans message with the last login timestamp of the user
Display last access timestamp
False
Display a WordPress maintenance support plans message with the last activity timestamp of the user
Along with these configurations, the text within the WordPress maintenance support plans messages on the events (failed login attempt, hard/soft IP address ban, and blocking of the users), and the email fields (address, subject, and body) can also be configured. You may use the provided tokens to send a dynamic data in the alert/message.
Configuring the alert settings of the pluginConclusion
The Login Security plugin adds another measure of security to a WordPress maintenance support plans website. In particular, it allows greater control on dealing with a situation of a brute force attack. At the end of the day, however, ensuring security is not just limited to configuring the plugins but also lies in the hands of people who administer and deploy the websites.
In case of any queries or suggestions, feel free to drop down a comment.
blog banner
blog image
Blog Type
Tech
Is it a good read ?
On
Source: New feed