We’re Sharing a WordPress Plugin: Double Knot Security

Unlike most website hosting providers, Kicks Digital Marketing maintains our client's Wordpress installation as well.  As part of that we also maintain the Wordpress plugins installed. In addition to a handful of very useful public plugins, Kicks Digital creates custom plugins that each serve a very specific purpose. We understand the needs of our customers and their Wordpress websites and thus don't need tons of fluff that tends to come with plugins that are trying to accommodate every situation.

An easy way for hackers to infiltrate a Wordpress site is to try very common user names and passwords. An automated bot will attempt to log in to your Wordpress site using usernames like "admin" or the nice names of your users. These kinds of breaches are called brute force attacks. Essentially the script will bang its head against the door until it gets in. As you may imagine the bot can make thousands of attempts a day. Even if the hacker never gets in, the attempts alone can be extremely taxing on your server.

Being a solely Wordpress development company we are not immune to these types of attacks. From that spawned the Double Knot Security plugin. The plugin does two things. It monitors the usernames that are trying to login and it monitors if a script is attempting to uncover usernames.

Detecting Bots

While monitoring usernames it looks for common usernames that we know would never exist on one of our sites like "admin." If the plugin ever sees an attempt from a username like that the IP of the bot is immediately banned for a set amount of time. We would consider that a blacklisting approach to stopping false logins.  Wherein there is a list of usernames that if ever used would prompt a ban. A stricter method would be the opposite approach. It takes the list of actual usernames and compares the login attempt to the list of users; if the username isn't on the list it gets banned. This would be called a white-list approach.

Stopping Author Enumeration

Most hackers will have a short list of common usernames they attempt to login with. A more sophisticated script will try to harvest usernames directly from the site. You should never display any of your Wordpress usernames anywhere in the theme or headers. If the usernames are not directly displayed on a page or post the hacker can try to get Wordpress to tell them what they need to know using what's referred to as "author enumeration." If your Wordpress settings allow for "pretty permalinks" ( URLs without numbers in them ) the numbered equivalent of that pretty URL will get forwarded. Going to the URL http://example.com/?author=1 may result in something like http://example.com/author/admin/ where the second part of that URL is the Wordpress "nicename" for the user with id 1. The Wordpress nicename for a user more often than not will also be the username for that user.

If a script is able to go to ?author=1 then ?author=2, etc it can gather a list of all usernames that exist on a given Wordpress site. So instead of using generic usernames, the hacker can use actual usernames and only need to guess a password at that point.  The Double Knot Security plugin stops all attempts to discover usernames in that manner.

Stopping the discovery phase with author enumeration and checking attempted usernames against a white or black list will stop 99% of attempts to fraudulently login to your site.  Double Knot is not the only plugin that does those things, but what is advantageous for us is that it only does those two things.  As we mentioned before, there can be a lot of bloat with plugins that try and do everything.  Double Knot works for us because it does those two things really well and saves tons of computing power for a server and keeps are customer's Wordpress installations intact.

In an attempt to give back to the Wordpress community that has given so much to us, we released Double Knot Security, for free, to the community.  You can download it here: Double Knot Security or search for it on your Wordpress plugins directory.