My website is too small, nobody will want to hack it.
Sounds familiar? It is the usual tale that many people tell themselves because they just can not be bothered to set-up and monitor the security of their page. That is a big mistake, while WordPress is one of the most popular CMS nowadays, it is also one of the most hacked and infected by malware.
While you might be proud of yourself when you blacklist a couple of IPs because they tried to log in with the wrong credentials, there is a hack that seems to go under the radar of an average WordPress user.
We will be talking about the 404 Error hack.
What is a 404 Error?
Starting with the basics. Let’s presume that your domain.com has the following pages:
Meaning that any other page, like domain.com/store, would give a 404 error. Because the requested page does not exist.
You can see it from time to time, as webpages delete old content (on purpose or by mistake) and forget to reroute the 404s (for instance creating 301 redirect).
Getting back to our imaginary page – since these are the only three pages that are available, normal users would have no way of getting a 404. They do not know that it exists (or not). The only way how a user could get a 404 is if he/she tries to access a non-existing page on purpose. Why would they do that?
How do you identify a 404 Error access?
I was not even aware that my site is getting hit on 404 until I installed an activity log. There was no profound knowledge behind this step, I just wanted to sleep a bit better knowing that I did something for my site security (even if just installing a log is not that much…).
So imagine my surprise when in logs I started seeing that various IPs from UAE, China, India, and other countries are all of a sudden trying to access files that do not exist (and never existed).
Apart from this irrational behavior, there was also another common denominator – all of them use proxies and they try to access the non-existent links one after another in a short time frame.
Why is 404 dangerous?
While the 404 Errors in themself are not that dangerous, the main problem is in the question – why is somebody trying to access a link that never existed?
Being hit on 404 repeatedly is a mark of an automated bot searching through your site for vulnerabilities. Here is what the bot is trying to do:
- Find the access to the control panel (with the use of 404 crawls)
- Bruteforce the password (break password by repeatedly trying popular login and password combinations).
At this point, we are at step one of the potential attack. Such Bots have wide settings, they are crawling through the net looking for the right page to later bruteforce:
- …and other variations
For example, a bot will hit your site 5 times trying to access parts of it that never existed. If it succeeds (for instance it identifies that /wp-admin is a live link) it will add your site to the database and try to find the right combination of login and password that will allow the attacker to access the site.
What to do?
First of all, you need to know you are being “hit for 404” by malware bots trying to find your login page. After you had identified the IP address that is doing the 404 – you can ban it.
A rule of thumb could be that if an IP address tries to repeatedly access several 404 links in a span of a limited time (5-15 minutes) that IP should be locked out or banned automatically.
The bot crawling will not stop, but it will be the first line of defense to prevent malicious activity on your website.
The vast majority of attackers will be using proxies, so it is not enough to identify and block the IPs, you have to do so constantly. But you can’t do it manually as you would no be doing anything else.
The easiest way to get rid of these crawlers is to install a security plugin. For example, iTheme Security has a free version of its plugin which will allow you to do just that. It will monitor the 404s, and depending on your preferred setting will block the IPs trying to crawl your site.
Security plugins (like the one mentioned above) will also help you with the second part of the defense – protecting you from password bruteforce. The approach is the same, if anybody will try to access your account repeatedly with the wrong password – they will be locked out for some time and if they try again – permanently banned.
To prevent this from happening on your IP address, you may set the plugin to whitelist your IP.
We hope that at this point you realize that your login “admin” and your password “admin123” are the first options that the potential attacker bot will try. Make sure to use a complicated password or give a shot to a password generator.
If you found your password on this list. Congratulations there is an extremely high probability that this is one of the passwords on the bot list, so make sure to change it right after you finish reading.
Here is an example of how long will it take a bruteforce bot to crack a basic password:
And here, how long it takes to crack a good password:
Hopefully, after seeing the examples above – you use the password generator right after you finish reading this post.
Fake 404 vs Real 404
If you are worried that being hit by malware bots on your 404s is somehow damaging to your SEO – it is not. Search engine bots will not crawl pages that never existed in the first place. So the “healthy bots” are fine.
As with everything, there is a “but”. Let’s say that you install the security plugin, you set it that if an IP tries to access a non-existing link more than 1 time, the IP will be locked out for 15 minutes.
Now, imagine that you had this link – yoursite.com/apples/grannysmith with a bit of referral traffic coming to it, and you decide to delete it.
What would happen is that if a real visitor came through that link, they would see 404. Maybe they decide to reload the page (thinking that something went wrong with the browser) and bam, they are locked out for 15 minutes.
This will happen rarely on small sites and webpages that are starting. But imagine that you have 500 visitors a day and 600 URLs on your site. The probability of such an occurrence rapidly increases.
In any case, a good place to start is to use a website analyzer (you may even find some tools that will crawl a big chunk of URLs for free) and check if there are any critical mistakes (which usually include the real 404).
When you had identified which links are giving the 404, a simple solution is to use another WordPress plugin. Good options are Redirect or Yoast SEO that will help you solve this problem.
It goes without saying – make frequent backups. No matter how good your security is, your site may get hacked. Schedule your backups depending on the frequency with which your page gets new content. Also, some of the best web hosting services (for example these ones) offer daily backups as a part of the package, so make sure to check with your provider.
It is much easier to spend 5 minutes each day to do a backup of your site than look at your two months old backups file. Or even worse, not looking at any backup at all.
Even if you just started your site, you should already be thinking about security. We may even add that new websites are targeted more frequently for these kinds of attacks than established ones. That is because the big sites already have the security measure in place and it is much harder to get through them.
Set up your security, make your passwords hard to break, backup frequently. After that you can concentrate on what matters the most, developing your webpage.
About the Author
Vlad Falin is a founder and blogger at Costofincome.com, a blog about digital tools and the creation of business online.