Thoughts on WordPress Security

It is well known that WordPress installations are a favorite target of hackers. As such, I have taken a number of precautions to protect my site. One of these precautions was installing the Better WordPress Security plugin. Among other things, it blocks known malicious hosts, and I also have it configured to block anyone who has too many failed login attempts. I forgot my login credentials today, so I had to unblacklist myself. Not that this is surprising, but I now have proof that my site is being actively attacked:

mysql> select * from bwps_lockouts;
+----+------+--------+------------+------------+-----------------+------+
| id | type | active | starttime | exptime | host | user |
+----+------+--------+------------+------------+-----------------+------+
| 1 | 2 | 1 | 1356337473 | 1356338373 | 49.156.146.2 | 0 |
| 2 | 2 | 1 | 1364942214 | 1364943114 | 62.141.42.61 | 0 |
| 3 | 1 | 1 | 1365134867 | 1365135767 | 173.230.140.233 | 0 |
| 4 | 2 | 1 | 1365258589 | 1365259489 | 203.174.60.2 | 0 |
| 5 | 1 | 1 | 1365812798 | 1365813698 | 76.113.154.142 | 0 |
| 6 | 2 | 1 | 1366029050 | 1366029950 | 46.28.64.213 | 0 |
+----+------+--------+------------+------------+-----------------+------+
6 rows in set (0.00 sec)

Sometimes I wonder whether or not I’d be better off writing my own website since there’s a very real chance I could be brought down by a WordPress 0-day. With that said, writing secure web applications can be hard, and I’m probably better off from a security perspective using a hardened WordPress installation.