Being the largest CMS on the World Wide Web has its drawbacks. With 19% of the internet being WordPress sites, WordPress is a popular target for hackers. The past months there has been a huge number of brute force attacks on WordPress sites. All of them aimed at gaining access to the dashboard.
Once logged into the dashboard a hacker can do virtually anything he wants, like installing a secret backdoor on the web server that can later be used to access the server. Security experts presume the current brute force attacks are not meant to foul individual WordPress sites but rather to build a new strong botnet of web servers that can later be used to launch ddos attacks on large targets like banks and government websites.
How do the hackers operate?
In order to get access to a WordPress site they use bots (computer programs, running on a botnet of previously infected pc’s) to hammer the login with commonly used weak passwords like 1234456, aaaaa etc. They work through a list of these passwords using a few commonly used user names. In the beginning of the attack waves, back in March 2013, “admin” was the only username that was targeted. Since then, I noted a couple of other names the bots are probing. Here’s the list so far:
- domain name*
*the domain name of the targeted website, without the extension, e.g. if the domain name is example.com, the probed user name is example. I have seen this being attempted on all the WordPress sites I manage, which are some 50 sites.
Choose a strong user name…
The first thing you must do to protect the login of your WordPress site is to avoid the use of these user names for any user, especially those with administrator capabilities. Since the hackers have extended the list of probed user names from only ‘admin’ in March to at least the above mentioned 7 variants in August, we can expect the list will gradually be extended with other obvious names.
In order to keep ahead of the hackers, choose a user name for the administrator account that will not likely end up on this hackers list. You can choose a strong user name just like you chose a strong password. You can combine uppercase, lowercase, numbers and special characters like !@#%&*+= etc. So a user name B3nj@mIn! would be very strong.
…and of course a strong password
The same goes for the password. Make it at least 8 characters long and combine uppercase, lowercase, numbers and special characters. I know, lots of people are lazy and want a password that is easy to remember. Preferably the same password on all the websites where they log in. Which could be over 100. There’s only one thing I can say about such practice: don’t! Buy an address book with alphabetic tabs and store all your sites, user names and passwords there by hand. The chance your booklet is stolen from your house is a fraction of the chance your passwords are stolen digitally.
With a strong username and a strong password, your WordPress website is practically invulnerable for this type of attacks.
The next thing I advise is to install the plugin Wordfence Security that is accessible from the WordPress plugin repository. This plugin makes a daily scan where your WordPress files are being compared to the original files. You can easily configure the plugin to limit login attempts and to automatically lock out IP numbers that are trying to login with an invalid user name. This slows the attacks down a bit. However, the typical attacks I have seen the past months will hammer a WordPress login for about an hour with a frequency of 1 to 3 attempts per second, then they will stop for days. Probably until the website is scheduled for a new turn.
Wordfence security has some very handy features. You can monitor the live traffic on your website in real-time, including the malicious login attempts when they are happening. Moreover you can configure Wordfence to send notifications by email if a user has been locked out due to exceeding the number of login attempts on false user names. And you can tell Wordfence to send you a notification by email when one of your plugins or WordPress itself needs an update. This makes it easier to manage your WordPress website and keep it up to date.
A Dutch article on this subject is available on http://wpwebbouw.nl/wordpress-webbouw/massieve-aanval-op-wordpress-sites-en-wat-je-ertegen-kunt-doen/