Security company Wordfence is reporting that the large distributed brute force attack on WordPress sites is starting to subside. On the morning of February 10th, employees noticed a large increase in the volume of attacks. Their real-time activity map was showing so much activity, they had to throttle the amount of data displayed. I asked BruteProtect if they were seeing the same amount of attacks using their monitoring system:
Yes, we’ve been watching it going crazy. We’ve been seeing levels about 8 times higher than average. Interestingly, while this is definitely a large attack, it’s not the biggest we’ve seen. We were seeing nearly twice as much activity for a 4-day period in mid-January.
Wordfence released an update earlier today saying the attacks have subsided but there are still occasional surges. Think of it like aftershocks after a powerful earthquake.
How These Services Work To Protect WordPress Sites
BruteProtect and Wordfence use the power of many to protect users against distributed attacks. The idea is similar to how Akismet operates. Both companies track failed logins across a large number of WordPress sites, then analyze the data to find patterns and identify attack bots. The more people using their plugin, the more data they have to work with. This results in more protection for site owners and fewer false positives.
Cost Of Protection
The service offered by BruteProtect is free with no limits attached. Wordfence is also free but they offer additional protection such as country blocking, scheduled scans, and remote scans for $39 per year. While the primary goal of BruteProtect is to protect the login page against distributed attacks, Wordfence is more like a full security suite similar to VaultPress.
Limit Login Attempts is a popular plugin used to limit the attempts an IP address can login. This is a great alternative but I like Wordfence and Bruteprotect for the simple fact that many sites grouped together through a service is a more effective strategy than battling brute force attacks alone.
Use A Strong Password
It’s hard to protect a website from a distributed attack but the easiest thing site owners can do to protect themselves is to use a strong password. WordPress 3.7 shipped with a password strength meter that does an excellent job with informing you whether your password is strong or not. Using a strong password will lower the chances of a distributed attack from succeeding to gain access.
The Problem Is Only Going To Get Worse
Unfortunately, these types of attacks are becoming more common. Early in 2013, a huge botnet was used to perform brute force attacks on WordPress websites to crack the administrative credentials of users.
Services like Wordfence and Bruteprotect are playing a pivotal role in helping users to combat this annoying type of attack. These plugins/services are going to be as common place on WordPress sites as Akismet. Are you using either of them on your site? If not, what precautions do you have in place to help protect against brute force attacks?
My standard installation has Wordfence + Better WP Security to harden my installation + Sucuri free to monitor the integrity of WordPress and the plugins + Login Security Solutions which in my opinion is more sophisticated than “limit login attempts”. Wordfence in fact comes already with a function to limit the number of login attempts but LSS offers more options.