Sucuri, the web security specialists, published “Brute force attacks against WordPress sites,” an in depth look at not just the importance of a strong password but the brute force nature and anatomy of login and registration access attacks.
There is a technique known as brute-force attack. Like the name implies, access is gained to your environment through brute force. Often conducted by bots, these attacks will run through a compiled list of common passwords and their permutations (i.e., password, Pa$$w0rd, p@ssw0rd, etc..). Yes, the attackers know that you substitute ‘A’ for an ‘@’ and ‘S’ for a ‘$’. Using this method the attackers are gaining access to your wp-admin, this then allows them to serve spam via your posts, deface your home page like we recently saw with ServerPro, and inject any one of the other types of malware roaming the interwebs.
Because of the consistency and prevalence of these attacks, we decided to test it for ourselves. We created a couple different honey pots with the intent of identifying the types of passwords being used, and to better understand the anatomy of these attacks. It didn’t take long. Within a few days, we had captured so much data that we had to share it with you.
The article features a list of the most common passwords used across all secure logins as well as WordPress, and used in these brute force login attacks. By now you should all know that the most common password used worldwide is “password,” proof that we somehow never learn. I’ve written extensively on how to create a strong password, and it appears it’s time for another lesson, especially on how to deal with the famous “admin” login issue with WordPress.
It’s also time to remind you to update WordPress whenever there is an announcement of a mandatory security release. Don’t wait. There are evil doers just waiting for security vulnerabilities on older, out-of-date versions of WordPress, PHP, MySQL, etc. Update immediately and don’t risk your site.
Creating a Strong Password
In my training programs and college courses I teach people how to create an easy-to-remember and simple password with punch. It involves some creative thought and familiarity with Leetspeak.
The guidelines for a strong password are to use numbers, mixed capitalization, and symbols and never use the same password for everything. People usually panic, assuming that their life is complicated enough without trying to remember 800 passwords, so we make it easy.
Pick a simple, easy-to-remember, or unique word. Make it the same for every password so you will always remember it. Add it to the name of the site, service, or app to make a compound word. If your word was elephant, you would make your Gmail account gmailelephant or elephantgmail, your WordPress site called “My Site” could be mysiteelephant, and your YouTube account elephantyoutube. Sounds simple, but we don’t stop there. It’s important to make your password fairly bullet proof so we translate it into Leet.
For example, if you are accessing your WordPress site, your password might be WordPressjack and convert into Leet as:
W02dPr355j@(k
If you were accessing your Gmail account, an example following this formula for Gmailjack would be:
6m@i1j@(k
Wikipedia’s Leet article features all the variations on the letters of the alphabet that can be found in Leet, showcasing the versatility and flexibility of using Leet to replace alphabet characters in a password.
For example, the following are Leet options for the letter M:
- 44
- /\/\
- |\/|
- em
- |v|
- IYI
- IVI
- [V]
- ^
- nn
- //\\//\\
- (V)
- (\/)
- /|\
- /|/|
- .\\
- /^\
- /V\
- |^|
- AA
So “Gmail” could be spelled 644@i1, 6?/\/\@i1, 6IVIail, Gnn@11,
or other Leet variations, opening up a wide range of possibilities. Your Gmail password in Leetspeak could be completely different from the one someone else uses following this format.
In my example above, I used “Jack” as my unique word at the end of the password. You can use any name, place, or any made-up word. A friend likes the word “syzygy” and uses that as the unique first or last word in all their passwords. In Leet, one spelling variation might be $j2`/6j
. Combined with WordPress for “WordPresssyzygy,” it could be W02dPr355$j2`/6j
, a seriously strong password.
Creating passwords this way keeps them unique and yet easy to remember, and different for everything you are using. With the flexibility of Leet, there are infinite ways to mix and match letters so you could vary the unique word spelling and change it annually. It meets the requirements for a mix of alphanumeric characters and mixed caps and makes it challenging to break through.
Changing the WordPress Admin Username
While WordPress and WordPress.com offer a unique password generator and offer a password strength indicator when you create your own, it doesn’t create the username, save for the default “admin” username upon installation or activation.
The first step in protecting your WordPress site’s security is changing the “admin” username. The second step to truly protecting your username and password is to create a second account for day-to-day use, leaving the administrator user level for those special occasions when you need to go under the hood.
To change the default “admin” username, you need to add a second Administrator account. However, WordPress permits only one unique email account per site, so you have to fool it. I have instructions below on how to do that if you don’t have a second email address.
The instructions for changing the default username from “admin” to anything else is:
- Go to Users > Invite New.
- Add a new user (yourself) with the second email address and set the user authority level to Administrator.
- Log out of your site.
- Go to your email and accept the invitation and login to confirm.
- Go to Users.
- Select the original Administrator account with the username “admin.”
- Click Delete.
- In the Delete panel, select Attribute all posts and links to… and select the new username.
From that point forward, log in with the new account as Administrator.
If you use a second email account and wish to use the original email address, after completing the above, go to your User Profile and change the email address back. If you do not have a second email account, most email services permit the plus method of creating custom email addresses. For example, in Google Gmail, you can add a + to your email address to create a unique email such as myemail+wordpress@gmail.com
. All email delivered to that email address goes to your myemail@gamil.com
address, ignoring the plus words. Check with your email host for their method.
Creating a Safe User Account
I travel extensively and can’t always trust the Internet connection I’m on for security. Nor can most people as they take their blogging experience from the home or office desktop computer to laptops, mobile phones, and tablets. It is more important than ever to create a separate user account for accessing your site in public with less permission authority thus adding some security protection to your site.
The Administrator user level has complete power and control over all aspects of your site, from adding content to injecting code into Themes and Plugins. The Editor and Author user levels restrict access to the customization and code-level features of your site, limiting access to publishing content and comment management, where most of us spend the majority of our time. When I don’t need administrator clearance, I log in with my Editor or Author user accounts. If those usernames and passwords are stolen or broken into, they can only go so far in causing damage.
To create an Author or Editor user account, you will need a second email address (see above for details).
- Go to Users > Invite New.
- Add a new user with the second email address and set the user authority level to Author or Editor.
- Log out of your site.
- Go to your email and accept the invitation and login to confirm.
When you need to make design or code changes, use your Administrator login. The rest of the time, use your Author or Editor login and you’ve added another level of security to your site.
If you would like to use a WordPress Plugin to change the username and protect the Administrator account, give these a try.
- WPVN – Username Changer WordPress Plugin
- Better WP Security WordPress Plugin
- Lockdown WP Admin WordPress Plugin
- MJP Security Plugin WordPress Plugin
- Allow Multiple Accounts
- Add Multiple Users for WordPress WordPress Plugin
Hat Tip: WP Tavern
18 Comments
Or, you can just use lastpass.com and your troubles are over…
There are a lot of password creation and saving tools, but step away from your familiar computer setting and what were they? How do I get them?
I agree, LastPass is awesome.
Lorelle: If you pay their $1 a month fee, you get access to their mobile versions, allowing you to get your passwords on your phone-of-choice. Worth it, IMO.
I’ll keep that in mind. In all the years of using my system, only once I’ve had a problem and that is with one account that limits the password to 10 characters. Totally stupid, IMHO, and forces me to break the norm with my more than 10 character passwords.
Reblogged this on Believe Anyway and commented:
In case anyone did not receive this, Lorelle at wordpress put this post up today. It is about fighting spammers, passwords that are resistant to attack, etc.
Thanks for posting this article! As a WordPress nerd, I love this article… but my security nerd forces me to make a couple of comments…
The best way to make a secure password is to use a phrase like a song lyric. Insert a special character and then you’re done. If your special character isn’t ! you’re even better off.
Using a schema on every site defeats the purpose of switching up your passwords. The purpose of switching up your password is so when someone has one password, they can’t guess others. If your facebook is FacebookJack, and your twitter password is TwitterJack… well your Twitter account will get jacked.
Your “leet” speak examples are serious! I highly doubt anyone is ever going to guess one of your passwords. It’s important to realize that password crackers are well aware of leet speak. So, if you follow the leet speak advice, make SURE your leet speak is very ‘leet’. “P@ssword1” just doesn’t cut it. But, Lorelle’s examples sure do!
The safe user advice is BRILLIANT. I use it EVERY day when I log into my computer, why I don’t do this with WordPress is beyond me!
Changing your admin account name to “greg” does you no good if you then post articles as greg… because WordPress shares the usernames for all authors! A quick example to illustrate:
Lorelle’s username is, “lorelle” https://lorelle.wordpress.com/author/lorelle/ (I hope you don’t mind me posting? If you do, please edit this part…). To confirm her username, go to her admin panel at /wp-admin and type in the user name with any password. You’ll promptly get a notification from WordPress that you have her user account: “ERROR: The password you entered for the email or username lorelle is incorrect.”
Congratulations, you’ve just won the first half of the password cracking battle. You can thank ma.tt for making that so easy… Now, of course, you still have to guess her password… Good luck with that one! Ma.tt’s not helping you there.
I keep meaning to build user account scanning into my WordPress security scanner: scanwp.com, but I’m still working on getting it to detect malware as good as the Sucuri scanner does.
Greg, usernames are not considered confidential information. Security is all in your password. Having to guess two things doesn’t actually make it twice as hard.
Otto is right. The author name is often the nickname or display name, not the username. I have many accounts with a variety of usernames and none of them are my author name. Good point though. Many don’t change it, publishing content under sillygirl42. 😀
As for song lyrics, that would be the same as a unique word in the above example. Something you can easily remember. I still recommend changing the letters to mixed caps and symbols, and Leet makes that fairly easy.
Recently a victim of a wordpress attack. Beyond strong passwords and limiting accounts, I realized I’d never completed my .htaccess file. Feeling much safer now.
The .htaccess file is one way to add some protection, but not the only one. Make sure you pay close attention to little gaps that many of us leave knowingly (and forget) or unknowingly.
Unfortunately, Otto is incorrect. Login names ARE confidential information. The first step to brute forcing a password is having a user name, or better, a complete list of possible user names. WordPress gives out both of these. There is no reason it should.
If you don’t have a user name, the number of possible combinations of username/password becomes a lot more complex. Without a list of names, guessing the right password, even if that password is “password” is hard. Often times, people use their first name as a log in, so, it’s not really very difficult. But, it shouldn’t be something an automated password cracker can get by loading your homepage. WordPress should also check to make sure “fist name” and “user name” aren’t the same.
When I get more time, I’ll round up a collection of links about how to program secure login screens.
The short list:
1. Give the same error message for all errors on the login screen.
2. Do not allow users to set weak passwords like ‘password’.
3. Don’t allow user names to be harvested.
WordPress developers argue that these things are the user’s responsibility. It’s the stupid users who let their WordPress get hacked. But, when we can prevent the user from making stupid mistakes, is it really the user being stupid, or is it that our program needs improvement?
I think this one is key:
“2. Do not allow users to set weak passwords like ‘password’.”
Because you can inform people that they need strong passwords but some people actually think that “password!” is strong — because they don’t understand how serious
Do you know of any ways/plugins to force a certain quality of password on WP? It shouldn’t be that difficult, since WP already has the built in password-strength meter.
There are WordPress Plugins that use password-strength meters for sites with extensive registered users or members. However, if you have less than 20 people registered with your site, an email reminder to ensure they make their passwords strong is better than adding another Plugin.
We tend to put a lot of energy into serving the lowest common denominator and we need to start trusting people to look after themselves, too. Education is the key, not gatekeepers.
I agree with freddyflow. I use last pass and generate a password which is a very strong password.
Thanks, Dennis. Yes, I can’t imagine life without Lastpass!
Another great timesaver is activewords.com. These are my dynamic duo…
-Freddy Flow
Aside from having a strong password and using a login that is not the admin account I also like having the Login Lockdown plugin installed.
It will slow down and stop many brute force attacks. The best feature is you can tell it to automatically lock out unknown usernames, so if the attacker tries to login with a username that does not exist they get locked out right away.
It has been great. I am sure there are other plugins that do similar things but that is my favourite.
Reblogged this on News You May Have Missed and commented:
Update WordPress Now: Reuters Hacked
Pity that there isn’t an easier way…
6 Trackbacks/Pingbacks
[…] VanFossen shared Defying Brute Force Attacks on WordPress Logins. Defying Brute Force Attacks on WordPress […]
[…] Defying Brute Force Attacks on WordPress Logins […]
[…] to run through a whole series of passwords or MD5 hash combinations to gain access to your website. Lorelle.wordpress.com has a great write-up on the issue along with resources to assist you in the battle of protecting […]
[…] wrote about brute-force attacks on WordPress logins last year recommending to all to get serious about making your usernames and passwords stronger. A year later […]
[…] Lorelle VanFossen explains how to create a strong password that is not terribly long and is easy to …. Her technique is a little unconventional, but stick with her through the article and you will end up with multiple passwords based on the same word […]
[…] Login: To enhance the security of your site, it is recommended that you create a second login as a safe user account to use when you are traveling or at an insecure Internet access point. Use your admin login only […]