Hackers and the security arms race

• December 24, 2014
• technology  
• security  
• wordpress  

A hacker finally noticed that if they don’t include the expected HTTP headers (specifically the wordpress_test_cookie=WP+Cookie+check cookie) then attempts to exploit the WordPress /wp-login.php URI are trivial to block. Up until yesterday 99.9% of the attempts to hack my WordPress blog by logging in were caught by my .htaccess rule that forbids POST commands if the expected cookie wasn’t present. I’m still seeing a lot of obviously bogus requests but since yesterday superficially valid requests make up a significant fraction of the attacks.

Until I can do something more intelligent I’m going to block all failed login attempts. I used to use a three-strikes rule to allow for real people making typing mistakes. But it looks like the hackers have realized that making repeated attempts to login also makes it really easy to block the attacks. So they’ve reprogrammed their malware to stop the attack if the first login attempt fails. Fortunately, that too is a signature I can use to automate the blocking of attack sources.

Once I’ve refined my rules to handle the more sophisticated attacks I’ll write another article describing how my defenses work and showing the code.