WordPress Security : Get SMS alerts when your WordPress site is under attack

Few days back, my wife’s self-hosted WordPress blog was under Brute-force attack. Someone was relentlessly trying to get through the admin authentication page for almost 6 hours straight. I will give credit to a number of safeguards we have applied that kept the battle going so long. Based on the logs, it started somewhere around midnight while we were asleep and continued until early morning when an SMS notification on my mobile alerted me to put an end to it. When I told my wife about it, she wondered how on earth I came to know that her blog is under attack.

Talking about safeguards, the least you can do to secure your blog is to have a strong and unique password. I research a lot about password and share my findings on this blog. Go through this checklist to see if your password falls into the “weak” category. If you have a weak password, the battle will be lost much before it reaches Brute-force attack stage. I also wrote about various tools and techniques to generate and manage passwords and take the pain out of remembering the complex passwords.

There are a bunch of other things you can do to secure your blog/site. However, as the title suggests, we will focus on how to get SMS alerts when your WordPress site/blog is under attack. It takes around 15-20 minutes to set this up but it is well worth the effort.

To cook this recipe (no, I’m not talking about an IFTTT recipe here), you need two main ingredients.

  • Google 🙂
  • Limit Login Attempts plug-in for WordPress

We need to use number of Google services to cook it up. This includes Gmail (labels and filters), Google Calendar (notifications) and a Google Drive Spreadsheet with Google Apps Script to tie it all together. But first of all, you should install Limit Login Attempts plug-in for your self-hosted WordPress blog. This alone is good enough to give you a good night’s sleep. It is simple but powerful plug-in. You should read a short overview by wpbeginner (if you are in a hurry) or a detailed summary (recommended) by How To WordPress 2.0 about this plug-in.

If you have read any of the above posts, by now you must have understood that, Limit Login Attempt blocks the IP after a defined number of unsuccessful login attempts. It also provides an option to get email notification after a certain number of lockouts. Check this option to enable email notification to site administrator after 1 lockout so that you start getting notifications as soon as the attack begins.

As I mentioned Google in this recipe, I would recommend that your blog’s admin email account be managed by Gmail. So next, we need to configure your Gmail quickly.

    • Create a new label in Gmail and call it “sendsms”.
Create new label - Gmail
Create new label – Gmail
Create new filter - Gmail
Create new filter – Gmail
Apply label using filter - Gmail
Apply label using filter – Gmail
  • Now your Gmail is set. Every new email coming from [email protected] i.e. potential email notifications coming from Limit Login Attempts, will now have sendsms label applied automatically.
  • Next, we need to setup your Google Calendar so that it sends you SMS for the new events.
  • Open Google Calendar and go to Settings (Gear icon on top right corner).
  • Click on Mobile Setup tab and complete the setup by selecting your country, mobile number and received verification code.
  • You may create a new calendar or use an existing one. Go to Reminders and notifications for your calendar and check the SMS option for the new events. This will ensure that you get an SMS notification for every new event.

So essentially, what we are trying to bake here is that, for every email notification of lockout by Limit Login Attempts, we will create an event in Calendar upon which you will receive an SMS. How to make this happen? This is where this useful Google Apps Script from Tech Awakening is handy. This allows you to get SMS alerts for new and important emails on Gmail with Google Docs. This is what you need to do.

    • Make a copy of this spreadsheet. Just click on the link and select “Yes, make a copy” when prompted.
    • Select Tools and open Script Editor. This will open the Google Apps Script attached to this spreadsheet.
    • Select Resources and go to Current projects’s triggers.
    • We need to add a new trigger so click Add a new trigger link.
    • Select Time-driven, Minutes timer and every minute and save it.
Add a new trigger - Google Drive
Add a new trigger – Google Drive
    • You will get a pop-up asking for authorization. Click Continue to grant the necessary access.
    • Now click close and save the trigger again.

That’s it, it is all done. From now on, this spreadsheet in your own Google Drive will be monitoring your Gmail account every minute. As soon as the email arrives, which qualifies the filter we have created earlier, our new label sendsms will be applied . For every new email with this label, a new event will be created in your calendar and you will receive SMS notification for it.

Search your Gmail, Contacts and other Google services easily from Chrome

If you are a Chrome user and regularly use awesome Google services like Gmail, Calendar, Contacts, Drive, Bookmarks, Google Plus, Photos, YouTube, Maps, Play, News, Finance etc., then this tip is for you.

Few days back I wrote an article on how to search Google Drive files easily from Chrome (and Firefox). As pointed out by one of my readers, this technique can be easily extended to almost any search service that queries things via the URL. Another reader pointed out the easy way to add search engines to Chrome which is as below.

    • Go to the site for which you want to add a search engine
    • Locate the search box for that site and right click on it
    • Chrome shows a context menu called Add as search engine…
Google Chrome - Add as search engine
Google Chrome – Add as search engine
    • Select and it will show a pop-up with all the details filled in as below
    • Just click OK and your search engine is ready for use
Google Chrome - Edit Search Engine
Google Chrome – Edit Search Engine

For some reason though, this does not work with Google Drive search box. Google Drive search box does not allow right click and that is why we have to add search engine for Google Drive separately.

Although the above technique should work perfectly for some sites, sadly for Gmail or Google Contacts it does not work. The default URL populated is outdated and does not fetch results anymore. Below, I have listed correct URLs for the most useful Google services. I have added more to this useful collection from Brian Johnson.

Happy Searching!

Search Engine URLs for Google Services
Name Keyword URL
Gmail mail https://mail.google.com/mail/u/0/#search/%s
Google Calendar cal https://www.google.com/calendar/render?q=%s
Google Contacts contacts https://www.google.com/contacts/#contacts/search/%s
Google Drive drive https://drive.google.com/?#search/%s
Google Bookmarks links https://www.google.com/bookmarks/find?q=%s
Google Plus plus https://plus.google.com/u/0/s/%s
Google+ Photos photo https://plus.google.com/photos/search/%s
Youtube video http://www.youtube.com/results?search_query=%s
Google Maps maps https://maps.google.com/maps?q=%s
Google Play play https://play.google.com/store/search?q=%s
Google News news https://www.google.com/search?hl=en&gl=in&tbm=nws&authuser=0&q=%s
Google Finance finance https://www.google.com/finance?q=%s