If you have a WordPress website, you’ve probably heard the news. A botnet (a number of internet computers that have been set up to forward transmissions to other computers on the internet) is battering WordPress sites with brute force attacks. According to WordPress, this issue is being exaggerated by security vendors who want to promote their services. Nevertheless, various hosting providers and security companies have been warned about the attacks over the last few days. It’s believed that a botnet of over 90,000 bots is being used to guess admin passwords to WordPress websites. WordPress is a prime target for hackers largely because of its popularity. Often, WordPress sites are hacked to serve up malicious content. When you visit infected sites, you risk being roped into the botnet.

What are Brute Force Attacks?

A brute force attack is a password attack that does not attempt to crack the password. Instead, it uses a list of different passwords and cycles through the words until it gains access to the account. A more complex brute force attack involves trying every key combination in an effort to find the correct password that will decipher an encryption. Due to the number of possible combinations of letters, numbers and symbols, a brute force attack can take months (or even years) to complete.

Defending Against Brute Force Attacks

• Use a higher type of encryption: Since brute force attack takes a long time to complete, having a higher type of encryption is one way to fend off the hacker (e.g. 64 bit, 128-bit or 256-bit encryption). The higher the level of encryption, the longer it can take the brute force attack to succeed.
• Create a complex password: Creating a complex password is another way to protect your site. Use a combination of letters, numbers and symbols.
• Locking out accounts: The most common way to stop brute force attacks is by locking out accounts after a set number of failed password attempts. Account lockouts can last a predetermined duration. Or the accounts can remain locked until the admin is contacted for a reset.
• Inject random pauses when checking a password: Adding a pause into the login screen (even for a few seconds) can greatly inhibit the completion time of a brute force attack. Additionally, it will not bother most legitimate users as they log in to their accounts.
• Use a CAPTCHA: CAPTCHA is a program that differentiates between a human and a computer.
• Assign unique login URLs to blocks of users: This will prevent all users from gaining access the site from the same URL.

Signs of a Brute Force Attack

Although brute force attacks are tough to stop completely, they are easy to detect because each failed login attempt records an HTTP 401 status code in your web server logs. It’s important to monitor your log files for brute force attacks. In particular, look for the intermingled 200 status codes that mean the attacker found a valid password.

Here are some signs that indicate a brute force attack:

• Countless numbers of failed logins from the same IP address.
• Logins with multiple usernames from the same IP address.
• Logins for a single account coming from many different IP addresses.
• Unnecessary amounts of usage and bandwidth consumption from a single use.
• Failed login attempts from alphabetically sequential usernames or passwords.
• Logins with a referring URL of someone’s mail or IRC client.
• Referring URLs that contain the username and password in the format shown here: http://user:password@www.example.com/login.htm

Here is a list of WordPress plugins that protect against brute force attacks:

Limit Login Attempts
Simple Login Log
BulletProof Security
Better WP Security
Lockdown WP Admin

Talk to your web development agency today and make sure your site is battle ready.