34SP.com Blog

A lesson in brute force attacks

WordPress is the most popular content management system on the web because of it’s user-friendly interface and accessible community. Sadly this also makes WordPress a popular target for hack attempts. And whilst the WordPress core itself is very secure and well coded, all the excellent coding in the world will not protect you if you are using an insecure password.

We at 34SP.com have been using the popular WordPress plugin from Sucuri to assess some data on brute force attacks, the aim here is to educate and advise our users on the methods brute force attacks use to try and crack your admin passwords, and also to let you know how you can keep your site safe and what we at 34SP.com do to make sure your site is as secure as possible.

Brute force attacks are basically the process of trying to guess a user’s password many times in a row. For example, you could go to any website, find their login page and guess at a username and password until you can login. Typically hackers will use bots and automated scripts to guess usernames and passwords hundreds of times in minutes.

Imagine it as if you had your own club (website). And everyone was trying to get in to your club. You tell them ‘You have to know the secret password to get in!’ Then they will then sit outside, shouting out passwords for hours and hours until they manage to get the correct one. This is essentially how brute force attacks work.


Our study on brute force attacks

To show you how we can do this, we used the popular WordPress plugin Sucuri to obtain some data from a test website. Among the many security features this plugin offers, one of them is that you can set the plugin to keep a log of the usernames and passwords hackers have tried to use to get into your site.

Only enable this whilst you are testing out this feature.

In this example, the website had a username of ‘TestAccount’, and a very secure password using our password generator tool.

We then waited and watched the log fill up. From this we were able to see that the most popular usernames hackers tried to use were as follows:

  1. Admin (This used to be the default WordPress username)
  2. Administrator
  3. 111111
  4. TestAccount (The correct username)
  5. Account

I wouldn’t worry too much about the correct username coming up – it is easy to obtain a username from posts and website content, but we will cover how you can keep your username more secure further down in this post. So the smart bots have cracked our username, but at least we have a secure password! The bots could not crack our password, here are the five most popular passwords they used:

  1. password
  2. Password123
  3. letmein
  4. Dragon
  5. 123456

Interestingly, there was post content involving dragons on the blog we tested this on. It may have been a co-incidence, but possibly the bots were crawling web content to make some ‘educated guesses’. Luckily our secure password was nothing to do with the actual page content! But based on this small selection of data from our tests you can quickly see how bots will hack a WordPress site very quickly with the username ‘Admin’ and the password ‘123456’.

At 34SP.com we sadly do see some customers have their insecure passwords compromised, and often they ask ‘Why them?’ So just to re-iterate – it’s nothing personal. The bot will have found a random website, looked for the login URL which is standard on most WordPress setups, then used an online list to try and break its way in to your site.


How you can protect yourself from brute force attacks


How do 34SP.com tackle these attacks?

To summarise, brute force attacks are common with any website on the internet. But they are easy to tackle as long as you are conscious about security. Chances are, even without any additional server security, as long as your password is very secure, and you’re used two factor authentication – you’ll never be a victim to a brute force attack. We at 34SP.com take care of the server security for you on our WordPress hosting, just make sure you back us up with a nice, secure password!

34SP.com offers managed WordPress hosting for up to three websites from only £14.95 per month – if you are interested in learning more please visit this link for a full specification, or feel free to call our sales team who can tell you more about it over the phone.