This has been an incredible week for brute force attacks on the Internet. Email flooded my inbox, websites slowed to molasses-slow. I had just finished putting security plugins in place on all of my WordPress sites after being attacked only a couple of months ago.
I had been patting myself on the back for securing all known vulnerabilities on my websites and was finally trying to get some real work done when I noticed I was getting hit hard with notifications of login attempts to all of my websites. Of course, the first thought I had was that my plugins were faulty and needed some attention. I went to the forums supporting the plugins I use and found others complaining of the same thing… We’re getting blasted with email alerting us of login attempts and 404 error pages.
Truthfully, I see login attempts all the time on all my sites, but it’s normally only a handful of attempts and they eventually go away after I block their IP addresses. However, this was insane! I couldn’t keep up with blocking, and quite honestly, I felt like a fish out of water even trying. I couldn’t figure out why I was so special to gain the attention of these attackers. As I sifted through all my web logs, I began to notice something strange. There was only one file attacked… wp-login.php . My plugins worked nicely at blocking the brute force attacks, but the log files were huge!
Finally, I woke Friday morning and went to check on some of the heavier hit sites. I began to see every one of my websites go down. It took my tech team all day to get us all back online. I’m very thankful for their hard work!
Hosting providers and security networks across the Internet found a large botnet with more than 90,000 servers had released against WordPress websites. The attackers cycled different user names and passwords to try and gain access through WordPress admin access points.
Sucuri, a security firm that blocks various types of Internet attacks, reported statistics of just how badly this particular week has been. They announced that in April 2013, brute force attacks had increased from nearly 40,000 attacks per day to nearly 100,000 attempted attacks per day, just in this last week.
In their report, they found that some of the top user names attempted was:
The top passwords tried were:
Here are some things you can do to protect your website from a brute force attack.
- Do not use “admin” as your user name.
One thing that I have learned since working so hard to secure my websites is to NOT use any form of “admin” for a user name. That is the top user name tried in a brute force attack. If you currently have “admin” as your user name, you’ll notice that WordPress will not let you change it inside your dashboard. However, you can change this using myPHPadmin and accessing your database.
Warning, messing around with you WP database could cause loss of data and other problems.
I will assume that you know how to get to your myPHPadmin panel. So, from here, chose the WP Database. WordPress sets up the database as something like “_wrdp1.” Unless you have purposefully changed it to another name, that’s what it is named. Click on that database name which would be listed on the left.
Once you choose your database, a list of tables will show up. Find the table that says “wp-users.” Then click “Browse.”
Next, click on the option that lists the user_login as “admin,” and change it to something else. See example.
- Choose a very strong password.
It is important to change your passwords. I cannot stress enough to change your password often and make it strong! Remember to use numbers, letters (including capital letters), and symbols in your password. Make it a MINIMUM of 8 characters. The more characters you use, the harder it is to guess. If you have a difficult time creating a tricky password, then use a good password generator to help create a unique and random password. Personally, I like to use phrases, more than one word for my password. This makes it more difficult to crack.
- Installing a plugin like Better WP Security or Wordfence can help close up other vulnerabilities to your WordPress site. It will create a stealth login, lock down .htaccess and wp-config.php files, and limit login attempts.
Remember, YOU the user, are the biggest vulnerability to your WordPress website!
If you have problems with securing your WordPress, maybe you just don’t understand all this technical mumbo jumbo, I can help! If you need advice or would like to hire me to help out, feel free to contact me.