WP-Login.php security
Today I would like to talk about a security aspect of WordPress. As by far the most used CMS on the Internet, it is a very attractive target for hackers. But it’s also easy to protect your website from the most common attack scenario.
There are bots that crawl the internet for poorly secured WordPress instances and try to hack them automatically using brute force, dictionary or similar attacks. For this reason, any WordPress instance on the internet can be a target for these attackers. If one of these bots finds a way to your website, it will try to hack it!
As the default structure of a WordPress installation is very well known and most installations do not change the default file structure, it is easy to guess that there could be a login form with known input fields under /wp-login.php. There could also be author pages with usernames or email information to help narrow down the possibilities.
We can protect this login form with a simple trick.
- Use
login_formaction to check if there is a custom GET parameter in the url. - If the custom parameter is missing, stop login form rendering. If the custom parameter is present add a custom nonce field to the login form.
- Use
login_form_loginaction to verify the custom nonce when a login POST request is coming in.
Only users that know your wp-login.php with custom GET parameter URL can use this login form and bots are banned.
I have published a very small ~200 lines of code plugin that adds this security feature and adds some UX to the login process. If you are interested in using it or want to check out the code these are the resources:
- https://github.com/palasthotel/a-little-more-secure/
- https://wordpress.org/plugins/a-little-more-secure/
Feel free to criticize or suggest optimizations!
