I own a self-hosted WordPress 3.5 blog. I’m working on its security and I’m trying to prevent non-writers from accessing anything admin-ish they shouldn’t.
Recently I tried Better WordPress Security, I really liked some of the htaccess suggestions they have. Primarily the one hiding /wp-admin/ with a unique key, even though it had a few loop holes, you could figure the key using the logout query. Anyway: Assuming my /wp-admin/ and wp-login.php now bring up a 404 not found, I thought automated bots would stop hitting on me. But they didn’t. I’m still getting site lockout notifications.
My guess is that WordPress have other standard routes for remote logins which attackers are still trying to exploit. I can’t find any documentation about that or anything in the settings. However, earlier this week one of our writers asked me about writing to our WordPress through his smartphone. There’s this Android/iOS app. So I tried it, and I thought it won’t work because the normal route now returns 404. But I actually managed to login successfully in the app. So how does the it work – where does it send the query?
In short I could really use an explanation/article about how WordPress logins work.
Note: I currently don’t have basicauth over /wp-admin/
I figured I’d just look in the Android application’s source code to see how it communicates. You can quickly see XML-RPC in the source.
So another way to access the blog is using WordPress XML-RPC support. It was improved and enabled by default in version 3.5 very recently. I don’t understand why they brought it back without the option to turn it off. It was on until 2.6, then turned off by default, and now it’s back in 3.5
So I found this post. It exaplains how to disable XML-RPC with one line of code which WordPress respects:
In your
wp-cinfig.phpfile, add this line afterrequire_once(ABSPATH . 'wp-settings.php');:This entirely disabled any access I had from the Android application. As of now I’m not getting any site lockout notifications by bad logins, mission accomplished!
Note: Before disabling, I did a test to make sure BWPS does scan bad logins from xmlrpc as well. Locked my self out using my phone on a 3g and got a notification later by email. In case it wasn’t then this whole theory would be questionable. So do yourself a favor and disable xmlrpc now! Unless you actually use it and you’re not under constant attacks from Turkish ip addresses.