Skip to content

WordPress Gotchas When Rolling Your Own Site

Bot Attempting WordPress Logins
Automated login attempts using both "admin" and the site name as usernames

Running WordPress on my own server, like on Amazon Web Services (AWS), is a bit more work than even the popular commercial website hosts, since the server configuration is entirely up to me. This site had been up for about three weeks, when I noticed 900 login attempts on WordPress. I've never run into this on or shared hosting sites like GoDaddy or HostGator - presumably because they have applications protecting their servers from script kiddies (bandwidth is money).

The first order of business was to get rid of default WordPress login URL, which is what the bot was looking for, by giving it a meaningless name. I used a security plugin to do this, but there are tons of other WordPress plugins and server rewrite options that can perform the same thing.

WordPress Lost Password

Note that changing the name of the login URL does not do any good, if you do not also remove the lost password links from the login page and disable the password reset (both of which contain the new login URL). This is easily done with some function code, e.g. like this.

The second order of business was to activate a firewall on my Apache server, to catch these things before they get to WordPress. I actually don't use many of the features available in the security plugin, because most of them are handled at the server-edge.

SlimStat Access Log
Slimstat Access Log shows the actual XFF ("Originating") IP address

Of course, a blog is for blogging, not running a server! Even though it's kind of interesting. Fortunately, my little piece of the interwebs isn't a big target, so maintenance is pretty minimal. I use the Slimstat plugin to monitor traffic to the site (in a benign mode - no cookies or javascript) and one of its best features (for me) is the Access Log, which displays the X-Forwarded-For IP address. My site sits behind a load balancer, so all of the IP's hitting my site are the load balancer IP's. The actual originating IP address is in the XFF field of the http header - so it's nice to be able to see this from the WordPress admin console, without having to login to the server and dig through the logs. In the image above, a bot is hitting my site hunting for an open (unprotected) folder location.

Pro tip: Write more, sysadmin less.

-- Scrib