What’s up with all the chatter about WordPress brute force attacks? If you haven’t heard or noticed, those bots are at it again, and they’re gunning for your WordPress site. So lock the doors, throw away the key, and hide under your desk. Or rather, just read the rest of this article.
What is a brute force attack?
Our good friends over at Wikipedia define it nicely as:
In cryptography, a brute-force attack, or exhaustive key search, is a cryptanalytic attack that can, in theory, be used against any encrypted data
So maybe that’s all jibberish to you. To clarify for our purposes, it basically means bots / scripts that try to hack into your WordPress site using different combinations of usernames and passwords. So imagine a script that doesn’t get tired, doesn’t stop, and gets smarter over time hacking away at your site’s login screen. That’s a brute force attack!
Why should you care?
You need to care about these brute force attacks because your site most likely runs on WordPress (or Joomla, yes they’re a target as well). Given the recent burst in such attacks mentioned by various reputable sources such as TNW, our good friends at CloudFlare, and PC Magazine, it’s ‘safe’ to say there’s good reason for concern. Besides, like me, you prefer to have your site seen by visitors, not bots.
How to protect WordPress from brute force attacks?
There’s several steps you can take to prevent, or halt brute force attacks on your WordPress site. Here’s a few from my own arsenal:
1) Get rid of the admin
If your username is ‘admin’, then you’ve already given up half your credentials to such bots. Create a new administrator account under a new name, and then delete the ‘admin’ user permanently.
2) Setup a strong password
While you’re at it, change your password to something that’s at least somewhat difficult. Remember, these are bots and they can play the guessing game all night long. So go crazy and use some of those numbers, upper and lower case letters, and special characters to create a strong password.
3) Install a plugin to limit the number of login attempts.
I recommend the WordPress plugin – Limit Login Attempts – which will do exactly what it says.
4) Use CloudFlare
I highly recommend CloudFlare as it simply kicks butt. If you don’t know what is CloudFlare and why you should use it? Or how to setup the DNS for Google Apps on CloudFlare, I’ve got you covered.
Were you affected?
Hopefully, you weren’t affected by such attacks, but if so, sound off in the comments and let me know how you handled it. If you have any other recommendations, feel free to share.
Just wanted to say “thank you” for the info you provided here on dealing with brute force attacks and, in another post, dealing with Google’s “this site may be compromised” notice. I know very little about internet code etc., but your information gave me orientation and helped me solve my site’s problem (hidden spam links had been injected). If you’re into Symphonic Metal at all, I’ll send you a CD from my band as a show of gratitude. Lemme know. ;-)
Thanks Michael. Glad to be of assistance. And yes, I am into Symphonic Metal but you don’t need to send me anything. Appreciate the thought.
Charlie, charlie!!! Your Site Rocks!! This is really looking very nice, and the resources are invaluable, and I love resources. :)
I am STILL being plagued by not just bots but hackers too. I can’t remember us ever being this persistent, coruse we didn’t exactly have eggdrops back then either.
Hidden within each attack I have received have also been the ip’s from russia, china, Aftganistan (probably the russian) So, I would also urg folks to do away with ftp anon, and to remember to have a puzzle or somesuch on the login, it will save you cleaning up your members database ( over 4K in one day ) Make sure your “friendlyname” is different than your login name, and ensure that is not used elsewhere..backup, backup, backup, 5 minutes of backup saves you a whole lotta hurt. (of course I learned it the hard way, doesn’t everyone?)
Shameless plug for my old University & the Black Hat Convention:
=================================================================
For Those who are interested: if security is what drives you, and it should if you’re thinking of IT as a Career choice then be sure and make it to Blackhat WestCoast 2013, first time this has ever been held in the U.S. and it’s only 60 minute drive from me. I so scored on this one. I believe EFF may have a coupon for $100.00 off a class if you are a member with them, if you’re not, you should be, so join. I might even has some friends from my almamater, University of Alaska-Fairbanks, coming down for this since they specialize in security and a few other areas. http://cs.UAF.edu/ <-certified foresics lab in my old office no less…well, at least it's put to good use. Yearly tuition under 20K for residents, blackhat west coast: Priceless & Pricy, group discounts and be sure to look at the descriptions, many of these courses are pretty advanced. https://blackhat.com/wc-13/