A Closer Look At Brute Force Attacks Against WP Sites

Perhaps one of the easiest attacks to perform on a WordPress based website is a brute force attack. Sucuri took the time to create a few different honeypots and monitored WP-Login.php to track the various IP addresses as well as the passwords used to break into the site. Their list of passwords attempted is no surprise to me as I’ve seen the same results over the course of a year via the Limit Logins plugin. It all comes back to the use of a strong password. A strong password would look something like this, RCu7R*0#zm. Unfortunately, many forms don’t accept certain characters in passwords so at the very least, add numbers to your password if you can only use numbers and letters.

The reason why this is one of the easiest attacks to perform is because by default, WordPress allows an unlimited amount of tries when logging into the backend. I understand that it’s the users responsibility to use a strong password but at the same time, I feel as though the software could help out by only allowing 3 login tries per IP address, very similar to how the Limit Login attempts plugin works. After 3 failed attempts, the IP address would be locked out for a certain amount of time. The only thing I can figure is this particular enhancement would cause some site owners more grief than peace of mind. Unlimited login attempts has been apart of WordPress since I started using it in 2007 and I don’t see it changing anytime soon, especially since the Limit Login attempts plugin exists and solves the problem so well.


8 responses to “A Closer Look At Brute Force Attacks Against WP Sites”

  1. I think the concept of a “strong” password is a bit overrated. Yes, a long, hard to remember alphanumeric string is pretty secure. You won’t be able to hack my site just by guessing my password. But this kind of password is also hard to remember, so many users are tempted to either use the same “strong” password for everything, or outsource remembering their password to a 3rd party system.

    If you use the same password for everything, one website being hacked can open you up to problems. If you outsource to a 3rd party, once again one site being hacked opens you up to problems.

    I know it’s a comic … but the advice on http://xkcd.com/936/ is the best I’ve seen yet for creating truly secure (but still user-friendly) passwords.

  2. Unfortunately, this is one of those areas where there’s not a “one size fits all” solution. Blocking an IP that submits too many bad login attempts is a pretty common solution, but it has pitfalls. Many networks are behind NATted firewalls, so all connections appear to come from the same address. So in blocking an attacker, you may also be blocking innocent by-standers who are on the same network.

    This might be acceptable for some web sites, but in other cases it might not be.

  3. I have had client lock themselves out all the time. So if you are the only person who has access to wp-admin and you lock yourself out, then you are screwed. I have done this myself because I couldn’t remember which password I used. I deleted the plugin … took some more guesses and got it. Then re-installed the plugin back.

    I have blocked my wp-admin and wp-login.php by IP address, so no outsider can see that. on top of that, there is limit login attempt.

  4. There is a plugin: Google Authenticator that integrates Google’s multifactor authentication into WordPress. After installing the plugin and setting it up on your phone (iPhone and Android) you will have a third field on the WP login page that requires you to enter 6 digit number that is on from the phone app.

    Add another layer of security.

  5. These scripts almost always attack the account called ‘admin’, so simply changing the name of that account solves that problem. Personally, I just use a random word from the dictionary. I also try not to use my admin account to make posts, but if I do I set my user nickname to something else to help with the obfuscation, and then use the ‘Edit Author Slug’ plugin to further hide the login name. Lastly, the Limit Login plugin helps people trying to get lucky.

  6. Not to name nations, but a considerable amount of hacks & attacks are generated from specific countries where such illegal or unethical practices are common. If your website does not invite or require traffic from some of the largest offenders, like China and Vietnam, then you can save yourself a lot of grief and geo-block all access to your site via your .htaccess file. Very simple to do and a quick Google search will bring up numerous tutorials out there with the info you need to do it.

    As to password strength, one method of generating an apparently random string of letters and numbers… yet have it still easy to remember, is to follow the example we often see on customized vehicle license plates. Substitute numbers for words (4 = for, 8 = ate, L8 = late, LAFT4 = laughter etc) and create a password string you can easily remember. For example, a Shakespearean actor might use the password “2B4NOT2B”.

  7. While it definitely raises some good point on password security, hasn’t the essential vulnerability always been SQL injection with most CMS platforms? Even the best password isn’t going to do much when they inject a new user with their own credentials, unfortunately..


Subscribe Via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

%d bloggers like this: