WordPress Exploit

This weekend during ARRL Field Day I was posting to Twitter, Facebook and the club website. Toward the end of the day I was ready to upload some pictures to the gallery so I tried to log in to the site. I was told that because I had logged in too many times and failed that my account was locked. Apparently this is a function of the iThemes WordPress Security module.

This is a bit of an inconvenience so I asked one of the officers to see if he could get in and unlock my account. Surprise, surprise. he was locked out as well. This was going to be more inconvenient that we expected.

After viewing the activity against the site we found what appeared to be some script kiddie who had found our ids, probably from one or more posts that we created and then went about trying to guess our passwords. This only worked until the system locked out any further attempts, frustrating the script kiddie and us.

Our admin then tried to log in and got the same error. Now of course we can fix the issue by getting into the MySQL database and fiddling with the data. Kinda messy. However our admin had another trick up his sleeve. In a moment I watched him switch usernames and log in with no trouble at all. Whaaaa?

Apparently his strategy is to create administrative user names that he never uses to post or create content. It appears that if you only use it to administer the site and not create content there is no way to easily discover the user name from the front end.

So, that is what I am doing. For each of the wordpress sites I administer I am creating a user named, for example, “oV9T450RxgDt” with a password of “H9umpELvcJWl” (trust me, this won’t work on any of my sites). Of course this is only practical if you use a reliable password management program like LastPass or KeePass. I’ll let you know if I get hacked with this in place. I’m sure that security wizards will tell me that there are a ton of other things to do but I’m guessing this can’t hurt. I think the key is to NEVER post using this ID.