My mother emailed me and asked if WordPress was under attack. With all the news of last week’s attack of the Boston Marathon, the attacks on WordPress and other PHP-based web publishing sites was low on the priority list for myself and others, but this is something to take seriously. As we get back to some form of normalcy in this trigger-happy, frighting world we live in physically and virtually, it’s time to address this issue of brute-force attacks on WordPress sites.
Here is what you need to know right off the top.
- WordPress is safe.
- The brute-force login attacks are not aimed specifically at WordPress. Reports are that Joomla, Drupal, and other publishing platforms are also being attacked.
- The attack is directed specifically at logins, making use of vulnerable usernames and passwords.
- To ensure your site’s security, make sure all usernames and passwords are alphanumeric and complex enough not to be guessed easily.
- Do not share your username and password with anyone, even those you trust. Use your best judgement. Be cautious to the point of paranoia when accessing your site on shared or public networks and computers.
- Check that all WordPress sites, Plugins, and Themes are up-to-date with the latest stable release of WordPress. No excuses.
- If you or a client cannot log into a site or report an error when trying to log in, contact the web host immediately. Some web hosts have locked down direct access to the WordPress login file to protect customers until more information and a resolution can be found to strengthen login protection on their servers.
- If you are on WordPress.com, your site is secure, however your password may not be. WordPress.com forced new users to choose a unique username several years ago, and their sign-in encourages strong passwords, but it is up to you to make sure your password is strong enough.
How to Protect Your WordPress Site
All web-based sites with logins are vulnerable, not just WordPress. Here are the tips you need to know to help you secure your WordPress site.
An article on the WordPress Codex, the online manual for WordPress Users, called “Brute Force Attacks” spells out what you can do from the simple to complex to protect your site from such attacks in the future. Here is a summary:
- Don’t use “admin” as your username.
- Create a strong password that is longer than 8 characters and includes an alphanumeric combination with symbols (Don’t use “admin” as your username.
- Create a strong password that is longer than 8 characters (12 is better) and includes an alphanumeric combination with symbols (!@#$%^&*).
- Use a Two-Step Authentication feature on WordPress. If you are on WordPress.com, turn on this verification feature by going to the Administration Panels > Security and using the new wizard that will step you through the process. Self-hosted sites may use the Google Authenticator WordPress Plugin. This requires a smartphone or phone with SMS text messaging. (Note: The goal is to add this feature to the JetPack WordPress Plugin in the future.)
- Consider a WordPress Plugin that further protects your site from login abuse.
- Protect your server based upon recommendations by your web host (as not to duplicate or contradict their efforts) with scripts and additional password layers (not for the non-coder).
- Check the file permissions of all the files and directories on your server to ensure the file permissions are set properly and no file is exposed inappropriately.
- Consider a WordPress Plugin that further protects your site from login abuse.
- Protect your server based upon recommendations by your web host (as not to duplicate or contradict their efforts) with scripts and additional password layers (not for the non-coder).
- Check the file permissions of all the files and directories on your server to ensure the file permissions are set properly and no file is exposed inappropriately.
- This is not a “new” attack as in this type of attack has been tried before. The difference is that this is now and the attack is more concentrated and wide-spread.
In addition to that article, I recommend “Hardening WordPress” on the Codex to help you understand more about the security issues in and around WordPress, especially for web designers and developers.
An article by noted WordPress expert and author, Morten Rand-Hendricksen, stated that while the default login for self-hosted installations of WordPress continue to set the default user name as “admin,” moves are afoot to change this permanently to let users set a unique username to encourage greater security.
If you installed WordPress a while ago, go right now and change your username. Tell your friends, neighbors, co-workers, and online buddies to do the same. Let not a risky username or password put your site at risk.
Without a doubt, the biggest security risk to your site is you. Doesn’t matter if your site is on WordPress, Drupal, Joomla, Blogspot, or another publishing platform. In “WordPress – Understanding its True Vulnerability,” Tony Perez of Sucuri Security Blog described it beautifully:
The WordPress core development team and review process has matured tremendously over the years, such that they deserve accolades for their ability to push timely patches when security issues are identified. Although inefficiencies still exist in a number of areas, the greater issue we want to focus on is the end-user responsibilities.
Why so many infected WordPress sites then?
Today what we find is that no longer is the application the true cause, the paradigm has shifted, and now the end-user is often the vulnerability.
We are in the age of websites for all, for a low yearly fee of $34.99, and easy hosting plans starting at $5.99 a month. It is no longer necessary to hire development firms to offer overqualified resources to apply updates and make content changes. Pffff, I can do that myself. What is an update anyway?
Unfortunately, as sarcastic as that may sound, it’s the sad truth. Everyday we fight malware, Monday – Sunday, midnight to midnight, and the trend is getting stronger. End-users are sloppy, everyone is anxiously jumping at the opportunity to use an application like WordPress for their blogging and website needs, with little regard to the dangers of the interwebs. When a hack occurs, as is human nature, the first thing is to look at everything but the yourself, in this case WordPress.
…What most website owners do not understand is that what makes WordPress so useful and cost-effective is also its biggest weakness. WordPress is a highly extensible application that allows your average Joe to easily make changes, add features and manage content. This ease of use, while great, puts a tremendous amount of responsibility on the end-user, so much so that they are often the root of their own problem.
Thought of the day: The WordPress team is doing their part to ensure your security on the web, can you say the same thing?
It’s the truth. WordPress developers do everything they can to make WordPress easy to use. It’s up to you to take a moment to do the two most important things you can do to make WordPress secure: Create a defensible username and password.
I wrote about brute-force attacks on WordPress logins last year recommending to all to get serious about making your usernames and passwords stronger. A year later I’m singing the same song. Let’s hope that this time people listen.
The following are more articles with tips and techniques for improving the security of your WordPress site. Note that some of these are highly technical articles and some steps should not be taken without cooperation of your web host – who might appreciate your paranoia as it protects them as well as you.
- Selecting a Strong Password — Support — WordPress.com
- Passwords — Support — WordPress.com
- Greater Security with Two Step Authentication — Blog — WordPress.com
- How to Protect Your Blog with a Solid Password – Lorelle VanFossen on Blog Herald
- Resetting Your Password « WordPress Codex
- Change your WordPress admin Username – DigiTalk Online
- How to Change your WordPress Username – WPBeginner
- Change Your Username — Support — WordPress.com
- WordPress › Support » Brute Force Attack WP Release Admin (Info on updating an older site in light of this attack)
- Stopping Brute-force Logins Against WordPress – Frameloss
- WordPress under attack: How to protect yourself | lynda.com blog | lynda.blog
- WordPress Brute Force Attacks: Protect Yourself Now – CodeGuard Blog
- Global WordPress Brute Force Flood | HostGator Web Hosting Blog | Gator Crossing
- Defending WordPress Logins from Brute Force Attacks – SpiderLabs Anterior
- Protecting Against WordPress Brute-Force Attacks | Sucuri Blog
- Ongoing WordPress Security Attacks, The Details and Solutions | iThemes
- WordPress ModSecurity Rules | Liquid Web Knowledge Base
- WordPress Login – Brute Force Attack « HostGator.com Support Portal
- Technokarak Explain – Brute Force Attack against WordPress Blogs – Technokarak.com
- Some Advice On Securing Your WordPress Site | Lifehacker Australia
- How to Protect Your WordPress Sites from Brute Force Attacks (1 Simple Step)
- About ModSecurity Collections and Limitting Requests – Web Security Blog at jwall.org
The Story Behind This Year’s Brute-Force Attacks
I first learned about the recent attacks on April 10, 2013, when my friend, Michael Hampton of Bad Behavior fame (the WordPress Plugin and other PHP-based publishing platforms add-on determined to prevent comment spam and evil) noted brute-force login attacks were increasing against WordPress sites:
Over the past day or so I’ve seen close to 1,000 brute force login attempts at my own WordPress sites originating from botnets. Other sites are being hit even harder.
…These attacks appear to be originating from two distinct botnets, each with its own distinguishing characteristics…In both cases, the attacks attempt random passwords and passwords with patterns such as qwertyuiop or 123123. If you have a password that might have such a pattern in it, you should change it immediately.
I hate to say this but I do so proudly. When it comes to evil doers on websites, especially WordPress, Michael Hampton is your go-to guy. I used the first test version of the Bad Behavior WordPress Plugin on my site many years ago, and continue to support and encourage it with my clients. Combined with Akismet, it creates a force to be reckoned with for protecting your site. According to Micheal’s tests, Bad Behavior is working to protect sites from this bot, stopping it at the gate before it can get through. He’s also working to contribute information on the source so the people behind this can be caught and hopefully prosecuted.
On April 12, Matt Mullenweg reassured everyone that updated WordPress sites were fine and protected from such attacks – protected as far as WordPress can go as usernames and passwords are the responsibility of the user. If the user has used a poor username choice such as “admin” and a password such as “password,” 123456789, or asdfghjkl (or another row of keys), their sites are vulnerable.
Right after Matt’s announcement, WordPress Support Forums moderator Mika Epstein posted a sticky post to the forums reporting on the brute-force attacks and login issues.
By April 11, the news was spreading, especially after reports of the attacks were announced on several web hosting sites and security services. Sucuri created “The WordPress Brute Force Attack Timeline” as they covered the story live, updating it as fast as they received updates and information.
In their early reports, Sucuri, a leading web security blog and service, reported on how to protect your WordPress site against these brute-force attacks. Their report is the most extensive and factual on this attack, and they have a long history of monitoring security issues with WordPress and other evil on the web.
Their initial report stated that the “the number of scans detected almost tripled from the old averages, increasing from around 30,000 scans per day to around 100,000 per day in April.” In their timeline, the corrected this, saying the numbers are larger than originally thought. By April 11, the number of scans increased 30x the average to one million, which they explain in charts called the WordPress Brute-Force 15 Day Distribution.
So yes, what started as a blip turned into a large-scale attack in a short 24 hour period. To undermine the scale of the attack would be a mistake, but to over speculate on intention is just as a grave a mistake. Fortunately, we do have more data on the IP ranges, usernames and passwords being used. For the most part it’s remained pretty consistent, that’s good to know as it makes some of the preventive techniques being discussed in various forums fairly effective.
The timeline of the brute-force attacks reveals the username distribution, the names used by the bot to force its way into site logins. The most popular usernames are admin, sysadmin, manager, adm, user, admin1, querty, rot, aaa, support, administrator, and test. The username “admin” was by far the most commonly tried, often successfully.
They also cited the passwords used, common passwords such as “password” and “123456” and variations thereof. Surprisingly (or not), the most common password was “admin,” revealing how little people often think before choosing a password.
Sucuri’s article also cited an October 2012 issue when WordPress.com disclosed that about 50,000 sites were compromised during a similar attack, mentioned by Matt in his recent blog, which caused WordPress.com to step up their login security methods.
Indeed, InformationWeek’s Security column reported on a group targeting US bank sites in December 2012 with a similar brute-force attack against all PHP/Web apps and platforms including Joomla and WordPress. The intent of these attacks on already attacked, vulnerable, and unmaintained sites were to gain a “foothold” on the server to install “attack toolkits” in order to deploy further attacks, reaching out in multiple directions, using what data and access they could find.
The group that began targeting U.S. bank websites in September launched their large-scale, distributed denial-of-service (DDoS) attacks via a number of PHP-based websites that they’d previously exploited.
That finding comes from Arbor Networks, which said that attackers had compromised numerous PHP Web applications, such as Joomla, as well as many WordPress sites, many of which were using an outdated version of the TimThumb plug-in. After compromising the sites, attackers then loaded toolkits onto the sites that turned them into DDoS attack launch pads.
…The scale of those DDoS attacks disrupted the websites of leading Wall Street firms, including Bank of America, BB&T, JPMorgan Chase, Capital One, HSBC, New York Stock Exchange, Regions Financial, SunTrust, U.S. Bank and Wells Fargo. That was despite the attackers previewing which sites would be attacked, as well as the date and time their attacks would commence.
HostGator, one of the most popular web hosting companies, described the attack as:
…an on-going and highly-distributed, global attack on WordPress installations across virtually every web host in existence. This attack is well organized and again very, very distributed; we have seen over 90,000 IP addresses involved in this attack.
Liquid Web and other web hosts pointed to a powerful script by Frameloss to block such attacks with a Modsecurity script created in 2011 to thwart similar attacks, proving that this type of attack isn’t new. Many web hosting services are just now paying more attention to such attacks.
As of April 15, 2013, the US-CERT (United States Computer Emergency Readiness Team) announced the targeting of WordPress by the “mass brute-force botnet attack, warning all hosting providers to take action to protect their customers’ sites. Like many US government agencies, the report is incomplete and intimidating by its lack of important information, however it does provide links to government resources for best practices and risks all web designers, developers, and administrators should know.
Discussion about the brute-force bot attacks were flowing freely around the web on social media and technology sites until the Boston Marathon attacks last week. Reddit had several discussions on the brute-force attack involving WordPress and Joomla. You can catch up with the discussions on “Major brute force attack against WordPress underway,” “Happening now – Brute force attack on WordPress and Joomla powered sites,” and “Mass WordPress Brute Force Attacks? – Myth or Reality,” among others. Note that some of these discussions are “blacked out” as part of the stand against the Cyper Intelligence Sharing and Protection Act bill in the US House of Representatives.
More information and news on the brute-force password attacks include:
- Mass WordPress Brute Force Attacks? – Myth or Reality | Sucuri Blog
- When Good Plugins Go Bad – SEO Spam on Joomla Websites | Sucuri Blog
- WordPress Plugin Social Media Widget Hiding Spam – Remove it now | Sucuri Blog
- WordPress, Joomla Sites Under Brute-Force Password Attack
- Check your security settings: Brute force attacks against WordPress and Joomla sites have tripled – The Next Web
- Hackers Using Brute-Force Attacks to Harvest WordPress Sites | Threatpost
- Mass WordPress Attacks Spread, Brute-Forcing Admin Passwords
- WordPress accounts are under botnet attack – Technology on NBCNews.com
- WordPress Sites Targeted by Mass Brute-force Botnet Attack : netsec
- WordPress attack highlights 30 million targets | ZDNet
- WordPress hit by massive botnet: Worse to come, experts warn | ZDNet
- Brute Force Attacks Build WordPress Botnet — Krebs on Security
- Brute Force Attack Targets WordPress Sites With Default Admin Username | Lifehacker Australia
- WordPress Under Attack: How To Avoid The Coming Botnet – Forbes
- Hackers Point Large Botnet At WordPress Sites To Steal Admin Passwords
- WordPress Says Reports Of Brute Force Attacks Are Exaggerated
- Global Brute Force Attack on All WordPress Blogs
- Massive Brute-force attack Targets WordPress sites worldwide | Hacker News | Security | Technology
- Brute force attack on WordPress and Joomla powered sites – Melbourne Server Hosting
Why? Why Attack Site Logins?
The first thing people blame in situations like this is WordPress. Just as banks and financial institutions, government sites, and others have been attacked in the past, WordPress is not exclusive to this brute-force attack. Any site with a weak access and login is vulnerable.
Why focus on WordPress?
While the actual numbers are hard to determine, Matt Mullenweg told the Wall Street Journal last year that 1 in 6 websites globally are on WordPress, and estimates are that in the United States, 1 in 4 are on WordPress, and many of these sites have not been updated, putting them at risk from more than just this attacking bot.
With so many individuals, businesses, and governments on WordPress, “WordPress is becoming more like Microsoft – a target,” a WordPress friend said, asking not to be identified. This doesn’t mean WordPress isn’t vulnerable. It means that WordPress isn’t always the only thing in the blame game, a game I find fascinating as people struggle to come to terms with things outside their control.
Liquid Web, a managed web hosting service, announced the brute-force login attacks to their customers on April 11 explaining why WordPress was a target, even though other publishing platforms were also being attacked:
WordPress is a popular publishing platform which is known for its robust features, numerous templates, and large support community. Unfortunately, due to such popularity, WordPress is also constantly subject to attempts at exploiting vulnerabilities.
Joomla and others are being attacked. With WordPress so popular and many web hosts now basing their business on hosting WordPress sites, it’s just easier, and good marketing, to call this a “WordPress brute-force attack.”
Web hosts around the globe are “rolling out patches” and taking steps to protect their servers and their customer sites, becoming the “good guys” in this scenario. Attacks like this have been around for a couple of years and solutions to prevent them have also been around and easy to implement.
Don’t be fooled. This is an attack on every PHP-based website.
With all of the focus on WordPress, I fear web hosts and the media is not getting the word out to Joomla, Drupal, and other publishing platform users that their sites may be vulnerable as well.
If your site is on Joomla or another publishing platform, ensure your web host has taken steps to protect it unless you can do so yourself. Change your username and password while you are at it, and tell a friend.
As Matt Mullenweg described so eloquently:
Right now there’s a botnet going around all of the WordPresses it can find trying to login with the “admin” username and a bunch of common passwords, and it has turned into a news story (especially from companies that sell “solutions” to the problem).
To be fair, the third-party programs, apps, applications, systems, and platforms that support WordPress are also vulnerable, often not making front page news. Earlier this month, an attack against tens of thousands of websites hosted on Apache server-based machines were attacked with reports of 20,000 websites infested by the “Darkleech” malware exploitation. PHP, JavaScript, and other supporting code are often targets of attacks. WordPress developers and friends work overtime to ensure that WordPress is as protected as possible from these back door access points, but they can only do so much when WordPress is bypassed and the attack is directly at the server or something that has nothing directly to do with WordPress.
Which begs the question: Do you trust your web host to protect your site?
The responsibilities of web hosting services has changed, and will change even more in the future as the onus is now on them to maintain, update, and protect their customers’ sites from such attacks. In the old days, web hosts left such updates and protect to the customer as the customer was usually the web designer and developer, supposedly someone with experience to know how to protect and secure a website. Now that the customer is a next door neighbor, someone not qualified to know the difference between .htaccess file and JavaScript. The responsibility for protecting your site and their servers must be the duty of a good web host. We hope.
Tony Perez and the Sucuri team dug deeper into the why with a good look at the reasons and consequences of these brute-force attacks, moving past the idea that this was exclusively targeted at WordPress sites. In the bank and financial institution attacks a few months ago, the hackers wanted to disrupt services, make a mess and find a way to slip in and possibly access account information. While common, everyday websites usually don’t carry personal and private information someone could use for gain, if the hack leads to access to servers, networks, and home and company computer systems, the door is open to more than just login information data collection.
Perez monitored many online discussions trying to identify the purpose of such attacks and finding few clues. “Because they can” is often heard, as well as thoughts that this is just a practice run for global and government take-downs and disruptions, global conspiracy and cyber-terrorism plans in the works. Perez tries to make sense of it all:
There are many things that can be done once access is gained, the creation and distribution of a large botnet is but one of them. In our experience these are the two things we know happens, in many cases, once an environment is compromised…
Once the attacker does gain access they have to figure out what to do. Do they wait? Do they inject a shell? Do they create new accounts? What kind of malicious payload do they add to the site? Do they want to sell access to the site? These are but a few thoughts running through their heads. Each one though will dictate a different approach and infection unfortunately.
…What this also tells us is that the creation of a large botnet for a similar DDoS attack, while plausible, is one of many various scenarios. The reality being that no-one really knows the objective, except for the attacker[s]. Is there an end-game? Isn’t there always? Will it be nefarious? Yeah, of course, but there are just too many possible scenarios at this point.
The one thing that is probably more realistic than anything else is the shear value that this data will have in the underground. Imagine a new updated wordlist, not only with the latest usernames and passwords, but the website link itself.
Can I get a cha’ching? But again, only speculation…
Whoever said information is money was right. While the information seems useless when examined in the micro, consider what all this information means in the big picture scale of things. While these attackers may just be people with too much time on their hands, doing evil because they’ve nothing better to do, the odds are that this is just the start of something bigger. Only time will tell.
In the meantime, start by making your site more secure by updating it and ensuring your password and username are more than the word “admin.”
Related Articles
- I Hate My Web Host
- WordPress Security Prevention, Reactions, and Scares
- Old WordPress Versions Under Attack
- Malware Found in WordPress Theme – Protect Yourself Now
- Is Your WordPress Blog at Risk from the Epsilon Email Theft?
- Security and Protection: Understand the Social in a Crime Network and How to Protect Yourself
- Defying Brute Force Attacks on WordPress Logins
- WordPress Stats and Numbers: Breaking Their Own Records
- What You Most Need to Know About WordPress
- Update WordPress Now: Reuters Hacked
- WordPress Anniversary: WordPress and Evil
- How to Keep WordPress Secure
- Placing Blame Where Blame Deserves to Be Placed | The Blog Herald
11 Comments
I was a bit taken aback when one of my web hosts contacted me to let me know WordPress was under attack. I follow many sites to help remain aware of new attacks, but apparently many end users don’t do this and are sometimes caught by surprise. The key, as you note, is to be proactive about your site security. Waiting for an attack and then responding to it is not a viable strategy for end users as the time between attack and realization that you are under attack can be hours, days, sometimes weeks. We need to be able to respond if someone breaches the walls, but having good walls and locks on the doors in the first place is just as vital.
I, too, have been dazed by the lack of simple protection, such as making a solid username and password combination. You are right that it is hard to keep track of all the security issues, deciding who and when to trust and picking our battles depending upon our lives – then screaming when things go wrong.
This is why I believe it is critically important that WordPress (and others) take a more active role in pushing out information to their users, be it through the WordPress Admin notifications, email alerts, or a single site that provides the useful information users need. So far, it is still hit and miss through official sources, mixing things up between dot com and org. We need to make it easier for users, hosts, and our publishing platforms to let us know when to really worry, and when to just play smart. Tough job.
I find the comment ‘don’t use “admin” as your user name’ both amusing and frustrating. I use the latest version of WordPress where, as you probably know, the admin name, as a user name, cannot be changed. Perhaps a change will be possible with 3.6, perhaps it will merely remain as an unusable recommendation.
One thing I miss from your list of recommendations is ‘change your password regularly’, a simple and effective method which can also assist against ‘accidental’ breakages.
Viktoria Michaelis.
You can not rename an account, but you can achieve the same result by creating a new account with the administrator role or adding the role to an existing account, and then deleting the default admin account.
To Change the Admin Name
Good point. The articles I referenced include instructions but here are the basics.
To change the admin name for older installations of WordPress, you can do so through the database or with a WordPress Plugin such as Admin username changer and Admin renamer extended if you are on the self-hosted or managed version of WordPress.
For WordPress.com and those wishing to do this an easier way, create a new user. You need a different email account as part of the registration, which can easily be done by adding a plus and word to most email accounts like yahoo and google such as myemail+wordpress@gmail.com. WordPress recognizes it as a distinct email address while Gmail ignores the plus and word. Set the username to whatever you want, set the user to be the administrator, and set up the account. Attribute all posts to this user, then delete the original Admin. You can then change the email back to the original. It is explained well in Change your WordPress admin Username by Digitalk Online.
As for reminders to change your password regularly, if the password is strong enough, and you are conservative and careful about exposing it, you may not have to change your password very often. If you are on public computers and shared networks, exposing your password to the evil masses, then put a date in your calendar to remind yourself on a regular basis. This is a personal decision and preference, not a necessity.
Thanks.
Many thanks, both. I had also read the linked post on changing the admin designation, but find it to be a very tedious means of handling a possible problem, especially for new users. The option of changing the name right at the time of installation would be far better and, of course, ensure more security.
Viktoria Michaelis.
I completely agree. This has always been a whine of mine. In a way it serves as protection since it cannot be changed by you or anyone through the Administration Panels. Being able to shift and change it at will is also a form of security, too. If it is changed to make it “easier” I hope the dev team will make the changing process have multiple verification steps to ensure protection of the admin username.
Thanks!
Where to begin… Obviously, WP is free, so we can’t whine and cry too hard – yet we (and I!) do, as there is so much to be desired for. And, also very obviously, we can hardly fathom what is needed to crunch out a new version that is better, sleeker and more secure – all the while not breaking (too many) plugins and themes when users update their install. In that sense they are truly becoming Windows (with its endless backward compatibility – and holes…).
The admin account being one of the main security-issues, it should be fairly simple to install WP with a different admin-name (anything but ‘admin’) – as defined in WP-config? If that is not possible, just install with ‘admin’, but strip it from all admin-functionality once the dashboard displays – only being able to create a new admin-user before posting or installing any theme or plugins – that takes over once the ‘admin’-account has been removed (and after logging in again).
I also wonder why it is impossible to hide the admin-account name. My admin-name is clearly visible in urls like these: http://www.example.com/author/admin-account/. It totally doesn’t make sense: in the user-settings I enter a different ‘nickname’, plus another name to ‘publicly display’, yet the url reveals the login/user-name! So basically, removing the ‘admin’-account hardly helps (other than thwarting automated scripts, hoping for ‘admin’ still being active). Just write a script to strip an author-url and use that for brute-forcing. Why? Because most ‘authors’ are also the admin/owner – they have only one account to log in for both posting and maintenance. A better way would be to create 2 accounts: one as admin, another for posting only. But it would require logging in and out repeatedly – very tedious and frustrating – not really feasible.
Anyway, one of my sites was hammered weeks before the final attack (then that weekend it all made sense): the wordfence.com -alerts kept coming in. It did block them, but it made me upgrade to the paid version – so I can now block countries (based on IP) – but obviously, that won’t work for all sites (our site gets 90% of its visits from 10 countries), though how many legit visits does one get from Ukraine? And, say the US being un-blocked, you still have hackers based there. So it is not 100%, but it works very well.
In the meantime, I taught my client to rename wp-login.php via FTP to something like ‘111-wp-login.php’ – that way the login-page gives an error, thwarting the attempts. Slightly inconvenient, but within 30 seconds one gets much better protection.
And, I just installed Stealth Login Page WordPress Plugin – works great as well!
Great article, good resources – so much more to read!
I agree with you, as stated in the article, that the username issue is a security risk. I’ve claimed this for many years with WordPress and hopefully this will be finally changed. As with most things that influence human direction, unfortunately it usually drive by crisis rather than common sense.
Blocking by country has long been thought to be a way of protecting your site from comment spam and attacks. It has never been proven to consistently work as there are ways around these with proxies, as you have found out I’m sure.
Interesting idea on changing the wp-login.php file name. All good suggestions.
As we learn to respond to each of these issues, so will the attackers, so it is a battle of staying more than one step ahead of them. Thanks.
True – never ending cycle. But just as in the real world, they go for the easy targets: my bigger lock makes them try my neighbors. In that sense we should be grateful for the ones that do not update, change admin or (re)use weak passwords – it keeps the hackers busy and away from the harder targets.
I’m with you!
5 Trackbacks/Pingbacks
[…] “The Brute-Force Password Attack on WordPress Sites” on Lorelle on WordPress I explain the recent brute-force password attacks are on WordPress […]
[…] Read more… […]
[…] maar gebruik ik mijn eigen naam, Arie Nouwen. Aanleiding is de recente stroom aan berichten – onder andere deze van Lorelle – over aanvallen door hackers op websites die op WordPress draaien. Eén van de preventieve […]
[…] The Brute-Force Password Attack on WordPress Sites […]
[…] Source […]