3Essentials intrusion detection mechanisms have had their “spider sense” tingling recently as a result of a significant increase in brute force attacks against WordPress sites in the past week. Enough so, we thought it prudent to sound a wake-up call for hosting customers using WordPress.
What is a brute force attack? It’s where hackers use other computers (typically botnets, malicious systems scattered around the globe) to try to log into your WordPress site with the “admin” level credentials, each time posting a different combination of user/password until they guess it. And yes, this works. Despite weekly news stories about hacking and security compromises at banks and big tech companies, users are still securing their email and website admin logins with passwords like “123456” and “password1”.
These attacks succeed because of poor password choices (like 123456) and a lack of protection mechanisms against such attacks built into the login mechanism itself. WordPress provides the login mechanism as part of WordPress itself, but by default does not provide protection against brute force attempts. Never fear, there are number of WordPress plugins available that can provide this type of protection. Below you’ll find a link to an article posted by the folks over at WordPress Jedi that discuss these options. You can also hit your favorite search engine with the search phrase “wordpress login attempts” and find a host of discussions on the topic as well as related recommendations.
Keep your version of WordPress up to date
In addition to brute force attacks, another common technique is to probe WordPress sites for indicators of the WordPress version, match that version to a list of known vulnerabilities of WordPress versions, and then execute an exploit specifically designed to exploit that hole in that version. All of this can be easily automated, and bots around the globe are running all day every day probing WordPress sites in this fashion. This isn’t unique to WordPress, but any widely used CMS (content management system), like DNN, Joomla, etc. Widely used content management systems are rich feeding grounds for hackers, because they only have to craft an exploit once for a given version of a CMS, then they can execute that exploit against any site they find running that same CMS version. The best defense is simple… stay abreast of version updates for your CMS of choice, and apply any that include security related fixes as quickly as possible. It’s just like keeping security patches up to date on your PC or Mac. Make sure the version of WordPress you’re running is up to date.
5 Ways To Limit Login Attempts in WordPress