WordPress Brute-Forced!


In the last couple of days, I received many invalid login alerts from one of my clients’ WordPress site — Someone was trying, desperately, to log into my client’s WordPress dashboard using invalid usernames and/or passwords.  The “desperation” (i.e. large number of login attempts within a very short period of time) and the fact that all the attempts were using the same incorrect username made these activities suspicious to me; it tells me that it was some kind of robot (botnet) action going on.  Fortunately these attempts were all blocked by Wordfence.  That, and the username being used doesn’t even exist in my client’s WordPress database.

Then came tonight, when I tried to log into another client’s WordPress dashboard, and found myself being blocked!  The website itself ran fine, and I had no problem accessing it.  So I checked all the necessary files, and they all looked good as well.  What was going on????

WordPress Under Attack

As it turns out, the web host has blocked all access to wp-login.php because WordPress is under a serious wave of brute force attacks.  That is, criminals are using the collective power of malware infected servers to try to break into WordPress sites.  Due to the heavy resource consumption nature of brute force attacks, in order to keep their servers from running out of memories, timing out and crashing, the web host blocks the brute force attempts by shutting out all access to wp-login.php.

Why Target WordPress?

Because it is an easy target.  One of WordPress’ main selling points is its easy setup, the Famous 5-minue Installation.  The onscreen instructions walk you through the whole process, set you up with a default “admin” user with full administrative rights to your site so you can get your site going right the way.

Unfortunately this easy setup also makes for easy hacking.  Everyone knows any WordPress site, at least at some point, has an user with full administrative rights called “admin”.  And in most WordPress sites, this “admin” user still exists.  Having the “admin” user in your WordPress database certainly makes a hacker’s job easier – he already knows half of the information he needs to break into your site.  Now he only has to guess the password of this “admin” user.

How to Protect Your WordPress Site from Brute Force Attacks

First thing first: Get rid of the “admin” user!  After you get your new WordPress site installed, before you start messing with themes, plugins and all that stuff, create a new user with an unique, hard-to-guess username with full admin rights.  This will be your new login.  Now log out of “admin”, log in again using your new username, and delete “admin” from your WordPress site.

And don’t use any crappy password like “password” or “1234” or any of these for your new username (or ever!)…  Seriously, if you still don’t know how to create strong passwords (or too lazy to) at this day and age, may be you shouldn’t be using a computer, let alone being online and managing any website.  Bad memory is no excuse to not use strong passwords, use any of these password managers to help you keep your credentials safe.

If you want to be extra secure, here’s a little trick to help hide your username from snooping fingers and prying eyes.

For even more security, you can hide your WordPress Dashboard URL using this plugin.

If you’re feeling extra paranoid, you can add the following code snippet into your site’s .htaccess file to block anyone but you from accessing your WordPress Dashboard.

<Files ~ "^wp-login.php">
Order deny,allow
Deny from all
allow from XXX.XXX.XXX.XXX

XXX.XXX.XXX.XXX being your IP address, which you can find out by simply Googling “what’s my IP”.

I’m Using Joomla… Am I Safe?

Being open source like WordPress, the entire code structure of the content management platform can be downloaded, picked apart to look for any vulnerability and then exploited, by anyone. And just like WordPress, there are certain “standards” or defaults in Joomla can be exploited too. WordPress is now the target because it’s very popular, arguably more so than Joomla, so that give the criminals bigger pool of victims to pick from. But it will only be a matter of time before the criminals to move onto Joomla or other popular open source platforms. It is not a matter of if, it is a matter of when.

See Also:

Huge attack on WordPress sites could spawn never-before-seen super botnet

Industry-wide WordPress Brute Force Attack

Global WordPress Brute Force Flood

update on wordpress brute-force attack