Brute force attacks on WordPress
One of the easiest ways to attack a website is via a Content management system like WordPress to gain access. For this purpose, hackers try to force a login to a site's WordPress installation with commonly used passwords. This type of attack is called a brute force attack.
The rise of large-scale brute force attacks
Most websites have developed countermeasures that limit the number of logins. As a result, hackers have developed different types of brute force attacks. Instead of launching millions of login attempts on a single website, they now use limited login attempts on millions of different websites.
These types of large-scale bruteforce attacks exploit the fact that users often make multiple login attempts when they forget or misspell their passwords. It is difficult to distinguish these occurrences from hacking attempts, so administrators leave the door open, so to speak. If they block access after a few failed login attempts, there is a risk that legitimate users will be excluded.
If an extensive brute force attack on a WordPress account is successful, an attacker can often modify a theme to insert backdoor code, as shown here:
Wide-ranging attacks are a growing problem
The Imunify360 product team examined over 2000 WordPress domains that were attacked on April 22, 2020 Worldwide (NO website was attacked/hacked by us) and made the following conclusions and predictions:
What we found was this:
The 10,000 most commonly used passwords were used in half of the login attempts.
On average, an attacker must try 64 domains, each with 14 login attempts, to determine an account with a weak password.
Weak passwords were used for about 10% of the successful login attempts. This means that websites with weak user passwords can either be hacked or have already been hacked.
Basically, our analysis has shown that weak user passwords in WordPress are like a multi-lane highway where hackers can gain control over websites.
Imunify360 protects against wide-ranging attacks
The latest version of Imunify360, version 4.7, is designed to block long-range brute force attacks. It does this by checking passwords used in login attempts against a list of known weak passwords. If any of these passwords are used in a login attempt, the user is redirected to a page prompting them to change their password:
If the user clicks on the "Reset password" button, they will be redirected to the WordPress password reset page. WordPress functionality is not affected as no user needs to be logged in to reset the password.