Back in October, WordPress websites were attacked across the world. This attack was designed to gain access to the admin section of the popular CMS and gain control over the website for either defacement purposes where the site is made to display another message or for more nefarious purposes where attackers inject malicious code that cause malware issues for end users.
Brute force attacks use hundreds of attempts at the password to gain access to a website. This is made easier than it should be due to people not using passwords that are secure, trying something like password, 123456, or hunter2.
Examining the logs showed that there were many IP addresses trying to gain access to the backend of websites in a matter of seconds. Only a small number of these had been listed in blacklist provider which unfortunately suggested the involvement of a botnet not already identified. This botnet could be large or small, it is hard to tell.
These attacks were logged in a central database by WordPress security developers allowing a master list to be created detailing all of the attacks wherever they may have come from. This allowed firewalls to detect and disallow IP addresses quickly in a manoeuvre known as swarm intelligence.
To protect your website against brute force attacks you should consider:
- Use a strong password and change it on a regular basis, something like every 90 days. Don’t use the same password for everything.
- Limit access to wp-login.php to just those necessary.
- Install security plugins.
- Limit the number of password attempts allowed with a plugin.
- Use a stronger installation that just the standard one. Try the WordPress Hardening Codex for advice.