Defending your WordPress website is an ongoing battle. One that each of us fights with is a unique combination of plugins, settings, and on-server security measures to defeat the constant waves of both wide-scale and targeted hacking attempts. From the legacy config manipulations to user infiltration attempts, there’s no end to what a hacker will try just to say they got into someone’s WordPress site and caused a little mischief. And we hope mischief is all they’re after.
One of a WordPress site’s best defenses is a good offense. Not just building firewalls and virus scanners, but proactively keeping known malicious entities from accessing the site and making accounts. This is where the concept of banning users and blocking IP addresses came from initially. From internet trolls to corporate espionage, it’s important to be able to defend your site.
Table of Contents
Wielding the Ban-Hammer and Granting Appeals
In the height of the internet form and MMO gaming days, banning someone became known as ‘wielding the ban-hammer’, perhaps due to the zealous way in which some admins chose to hand out temporary and permanent bans for common forum shenanigans. But when defending your WP site, a ban-hammer is exactly the kind of force you need to knock those hackers out of the park before they have a chance to look at even a scrap of your data.
There are a number of ways to identify a bad actor and keep them from accessing accounts, features, or the entire domain as a form of proactive protection. Of course, the other half of wielding the ban-hammer is the ability to grant appeals. Just in case an auto-banning action accidentally blocked a legitimate (or legitimately hacked) user account. Be prepared for emails and requests that will need to be thoroughly checked out when you are deciding who to ban and who to allow access.
Today, we’ll focus on what to watch out for.
Any IP Address that Attempts to Brute-Force a Login
Your site detects a failed login. Fine, you send a captcha and ask them to try again. But before the exchange ends, in comes another failed login, and another, and another. All for the same account, but far too fast for even frustrated fingers to type. This is a common brute-force attack and even if your site has defenses against allowing these attacks to achieve login, it’s also a sign you can use to tell you when the accessor themselves is a bad actor.
The IP address from which the brute force login is coming from is that of the hacker or their redirected VPN address. Either way, you don’t want hackers or their masked VPN aliases accessing. So any time a brute-force alert triggers from a particular IP address, wield that ban-hammer and deny them access to the site entirely next time.
Any Access Attempts from Black-Listed IP Addresses
The internet security community has curated a list of known untrustworthy IP addresses that are blacklisted across the world-wide-web. There’s a good chance that your security plugins are already protecting you from black-listed IP addresses and domain names but never assume. Make sure that your website simply does not load for any known hacking IP addresses Because why invite trouble in through the front door?
Any IP Address Whose Browser Tries to Directly Access Your IP Address
One of a classic WordPress hacker’s tricks is to find your IP address through site analysis then try to access your server directly by calling that IP address in their browser. But if you’ve done your URL design correctly, then there is no reason why anyone who’s not inside your internal network would ever call the IP address of your WordPress site. Ban that hacker.
Any IP Address Identified as Using Stolen Login Credentials
There are several ways to identify the use of stolen login credentials. For example, a user suddenly logging in halfway across the world, then failing their second-factor authentication. When your automated ‘stolen login’ monitoring triggers, don’t just lock out further login attempts and alert the account-holder. Make sure the IP address that just tried to use a confirmed-stolen login never has a chance to try a second time.
Any Accounts from Black-List Domain Emails
Just as there are black-listed IP addresses, there are also black-listed domain names which are well known for sending out spam mail from domain email addresses among other nefarious deeds. Not only should you stop bad IP addresses from accessing your site, but you also have no reason to trust an account made with one of these black-listed domains used for the account email address. Simply don’t let the account creation happen and you’ll have stopped at least one hacker from making an account. Then flag their IP address in case they make a g-mail burner immediately afterward.
Any User Granted Unauthorized Authorizations
Another classic WordPress site attack is for a hacker to make themselves an account. Then they use a little back-door access to grant their very own account unauthorized admin powers. Your automated defenses can watch out for admin powers and flag anyone granted them in the last few days. You’ll know if you granted someone site admin. So if a new name pops up, wield that ban-hammer on the account and their accessing IP.
Any Account Caught Trying to SQL-Inject Your Search Queries
Perhaps you have a user who has seemed perfectly normal for a while. But at some point, they think it’s funny to try a quick “Drop Tables wp_archive;”, that is hacker behavior and is ban-worthy. This is, of course, even more suspicious if perpetrated by a brand new account, one that hasn’t bothered to make a profile or post in the forums. It is very likely a hacker making burner accounts to cause trouble. So you have nothing to lose in banning them on the spot. Even though your databases are already properly protected with escaped searches.
Any Account that Uploads Malicious or Offensive Files
The final recourse of the hacker is to load either malware or simply offensive images and files onto your site. They can do this through the tools you’ve left available for users. If users are allowed to share files and content, a hacker may try to leave something nasty in your file database. Or they could leave it somewhere other users will open it to become either infected, offended, or both. Any time a file uploaded is red-flagged or identified as malicious, don’t be shy about wielding the ban-hammer. This will prevent that user from ever abusing your site again.
Modern digital marketing and web design are all about customer-centric accessibility. Of course, you want to open the doors and roll out the red carpet for your legitimate users. These are users who love your site and come back time and time again. But for those that choose to abuse your online hospitality with hacking attempts, stolen logins, and privilege abuses, you need not suffer them a second time. Contact us today to find out more about how you can directly defend your WordPress site by identifying and blocking hackers.