There's a nasty WordPress hack doing the rounds at the moment. Essentially, it looks for WordPress blogs and then tries to log in to them using common username / password combinations. If you're still using "admin" and "secret" - now is the time to change them!
I've started using Better WP Security on my blogs. It automatically takes care of securing WordPress against the most common forms of attack. One thing it does particularly well is lock out people who repeatedly try an incorrect password to log in.
Additionally, I've also added CloudFlare to my sites. CloudFlare acts as a CDN - when people visit my site, they're actually hitting the CloudFlare service - CloudFlare caches my content, saving me bandwidth.
You can see where this is going, can't you?
That the IP address of CloudFlare! Due to my inability to perform homographic disambiguation I had repeatedly tried to enter the wrong login details in my management app (i.e. I thought the password had a capital I in it rather than a lower-case l).
All of a sudden, CloudFlaretly was locked out. No worries, I thought, I'll just go in to the database and remove the block.
Only, of course, I couldn't. My entire site was behind CloudFlare. CloudFlare couldn't access my site. Therefore, I couldn't access my site!
So, how to get out of this conundrum?
I could have changed the DNS records of my site to point back to my host - rather than CloudFlare - but that would have taken several minutes to propagate.
Luckily, my delightful web provider VidaHost has a Cpanel console which isn't behind my domain names.
From there, I was able to go into phpMyAdmin and access the Better WP Security lockout database - called "wp_bwps_lockouts". I found the offending IP address and removed it from the block.
That restored access, but how could I prevent it happening again?
CloudFlare offers Page Rules which allow you to disable CloudFlare for a partclar page, or set of pages.
Setting an exclude rule for
will stop CloudFlare from proxying and cacheing requests to your WordPress admin panel.
It's also possible to "pause" CloudFlare temporarily but that would have lead to a rather large load on my website.
What have we learned today?
- The unexpected interplay of two independent products can have an "interesting" effect on your service.
- Always have a backup plan for accessing your server.
- If someone is using a tool to automatically blacklist IP addresses, it's possible to provoke a Denial of Service attack by proxying requests through a critical piece of their infrastructure.
- Avoid ambiguous characters in passwords - or at least ensure you use a font which clearly shows the difference between Il1, O0, 5S, etc.
- Don't panic!