How To Protect Your WordPress From Brute-force Attacks
Last week a large distributed brute-force attack was launched against WordPress Blogs. One of the first to notice the attack was Cloudflare. Not only did they detect the attack, they automatically protected your WordPress site if you had an account with them.
On this blog post, we want to give you some details of the attack, what to do if you were compromised and things you can do going forward to protect your site from future attacks.
The attack is simple. Because WordPress by default does not limit the number of logins attempts a person can try, the attackers created a bot that identified WordPress sites and tried to brute-force the login using common username/password combinations.
A total of 2927 common username/passwords were tried. All of them are simple usernames and password. Here’s a sample of 10 combinations used in the attack:
Admin:passwd Admin:parol Admin:pass admin:admins admin:administrator admin:administrators admin:Admin jessica:JMR9760 jessica:JMR9760 jessica:JMR976 admin:qwerty
Although the list is short (<3000) it looks like it was highly effective. HostGator reported up to 90,000 IP’s are participating in the attack.
The reality is that passwords are simply not enough these days.
How to protect yourself
There are 3 simple things you can do to protect your WordPress site.
- Rate limit the amount of logins using this WordPress plugin.
- Avoid using common login names such as admin, Admin, root, Administrator.
- Don’t use common words for passwords. Make sure you choose a strong password.
These are simple steps you can ensure your WordPress site is a little safer. However if you have a larger WordPress site with multiple users, it’s hard to make sure everyone is following this practices. If you are serious about security you shouldn’t be using username and passwords only.
- Sign-up for a free Cloudflare account. They will not only protect you from these types of attacks but from many others.
- Enable Two-Factor Authentication on your WordPress blog. Have a look at Authy for WordPress. Don’t be intimidated if you are not tech savvy, we designed the Authy for WordPress plugin to be used by anyone. Just follow the installation video and you’ll be fine.
What if you are already compromised?
There are a few steps you should take:
- Login as admin and remove all users from your WordPress site that you don’t recognize.
- Change all of your passwords (for all users).
- Re-install your WordPress site from scratch.
- Change your database password. Look at wp-config.php. Make sure you change your database password and any other passwords inside that file.
As attackers and attacks evolve, keeping your WordPress site secure becomes harder and harder. We know trying to remember complicated passwords is hard and enforcing it on others is even harder. But there’s no reason these days that you should be using a username and passwords only. If you enable Two-Factor Authentication and keep your WordPress site up-to date you’re already 99% ahead of the attackers.