A lesson in brute force attacks

WordPress is the most popular content management system on the web because of it’s user-friendly interface and accessible community. Sadly this also makes WordPress a popular target for hack attempts. And whilst the WordPress core itself is very secure and well coded, all the excellent coding in the world will not protect you if you are using an insecure password.

We at 34SP.com have been using the popular WordPress plugin from Sucuri to assess some data on brute force attacks, the aim here is to educate and advise our users on the methods brute force attacks use to try and crack your admin passwords, and also to let you know how you can keep your site safe and what we at 34SP.com do to make sure your site is as secure as possible.

Brute force attacks are basically the process of trying to guess a user’s password many times in a row. For example, you could go to any website, find their login page and guess at a username and password until you can login. Typically hackers will use bots and automated scripts to guess usernames and passwords hundreds of times in minutes.

Imagine it as if you had your own club (website). And everyone was trying to get in to your club. You tell them ‘You have to know the secret password to get in!’ Then they will then sit outside, shouting out passwords for hours and hours until they manage to get the correct one. This is essentially how brute force attacks work.

 

Our study on brute force attacks

To show you how we can do this, we used the popular WordPress plugin Sucuri to obtain some data from a test website. Among the many security features this plugin offers, one of them is that you can set the plugin to keep a log of the usernames and passwords hackers have tried to use to get into your site.

Only enable this whilst you are testing out this feature.

In this example, the website had a username of ‘TestAccount’, and a very secure password using our password generator tool.

We then waited and watched the log fill up. From this we were able to see that the most popular usernames hackers tried to use were as follows:

1. Admin (This used to be the default WordPress username)
2. Administrator
3. 111111
4. TestAccount (The correct username)
5. Account

I wouldn’t worry too much about the correct username coming up – it is easy to obtain a username from posts and website content, but we will cover how you can keep your username more secure further down in this post. So the smart bots have cracked our username, but at least we have a secure password! The bots could not crack our password, here are the five most popular passwords they used:

1. password
2. Password123
3. letmein
4. Dragon
5. 123456

Interestingly, there was post content involving dragons on the blog we tested this on. It may have been a co-incidence, but possibly the bots were crawling web content to make some ‘educated guesses’. Luckily our secure password was nothing to do with the actual page content! But based on this small selection of data from our tests you can quickly see how bots will hack a WordPress site very quickly with the username ‘Admin’ and the password ‘123456’.

At 34SP.com we sadly do see some customers have their insecure passwords compromised, and often they ask ‘Why them?’ So just to re-iterate – it’s nothing personal. The bot will have found a random website, looked for the login URL which is standard on most WordPress setups, then used an online list to try and break its way in to your site.

 

How you can protect yourself from brute force attacks

• Enabling two factor authentication. This basically generates a one time code whenever you login, usually to an app or phone text message, but also sometimes via email which you will also need to input when you login. ‘Google Authenticator’ is an example of a plugin which will do this for you.
• Creating a long and secure password made up of multiple words, and if you if trouble remembering longer passwords use a password manager to keep track of the different passwords you may be using.
• Use plugins – WordPress has plenty of security plugins for brute force attacks. Notably ‘Limit Login Attempts’ will block an IP address after five incorrect login attempts. This limits the amount of tries the attacker will get at your password.
  • Alternatively if you have root access you can set up a security module such as Fail2Ban or mod_security to take care of the security for you.
• Not using a common name such as ‘admin’ on WordPress – create something unique. It can be anything from your own name to something completely random. WordPress also allows you to set a username and a ‘display’ name – so your username does not need to be publicly visible on the front end of your website.

 

How do 34SP.com tackle these attacks?

• We will not leave you on your own to deal with these attackers. Our managed WordPress Hosting platform comes out of the box with Fail2Ban – a security module which looks for IP addresses attacking your site. This will actively monitor unusual activity and block IP addresses accordingly. Fail2Ban is protecting you against more than just brute force attackers too – it is configured to tackle a range of common popular WordPress attack methods.
• For added security, you may never need to know your own password on our managed WordPress Hosting – you can simply login via your 34SP.com control panel.
• Backups – Your WordPress hosting also comes with daily backups. As we said earlier; all the security in the world will not protect your site if it has a really insecure password. So in the unlikely event you do find your site is compromised, we offer backups to get you back up and running as quickly as we can. If you take your own backups (which we also recommend) our support team is happy to use your backups to perform a restore as well.

To summarise, brute force attacks are common with any website on the internet. But they are easy to tackle as long as you are conscious about security. Chances are, even without any additional server security, as long as your password is very secure, and you’re used two factor authentication – you’ll never be a victim to a brute force attack. We at 34SP.com take care of the server security for you on our WordPress hosting, just make sure you back us up with a nice, secure password!

34SP.com offers managed WordPress hosting for up to three websites from only £14.95 per month – if you are interested in learning more please visit this link for a full specification, or feel free to call our sales team who can tell you more about it over the phone.