Block brute force attacks on WordPress

Wordpress hosting and blog

Brute force attacks on WordPress

One of the easiest ways to attack a website is via a Content management system like WordPress to gain access. For this purpose, hackers try to force a login to a site's WordPress installation with commonly used passwords. This type of attack is called a brute force attack.

The rise of large-scale brute force attacks

Most websites have developed countermeasures that limit the number of logins. As a result, hackers have developed different types of brute force attacks. Instead of launching millions of login attempts on a single website, they now use limited login attempts on millions of different websites.

orcwebhosting

These types of large-scale bruteforce attacks exploit the fact that users often make multiple login attempts when they forget or misspell their passwords. It is difficult to distinguish these occurrences from hacking attempts, so administrators leave the door open, so to speak. If they block access after a few failed login attempts, there is a risk that legitimate users will be excluded.

If an extensive brute force attack on a WordPress account is successful, an attacker can often modify a theme to insert backdoor code, as shown here:

orcwebhosting

Wide-ranging attacks are a growing problem

The Imunify360 product team examined over 2000 WordPress domains that were attacked on April 22, 2020 Worldwide (NO website was attacked/hacked by us) and made the following conclusions and predictions:

orcwebhosting

What we found was this:

The 10,000 most commonly used passwords were used in half of the login attempts.

On average, an attacker must try 64 domains, each with 14 login attempts, to determine an account with a weak password.

Weak passwords were used for about 10% of the successful login attempts. This means that websites with weak user passwords can either be hacked or have already been hacked.

Basically, our analysis has shown that weak user passwords in WordPress are like a multi-lane highway where hackers can gain control over websites.

Imunify360 protects against wide-ranging attacks

The latest version of Imunify360, version 4.7, is designed to block long-range brute force attacks. It does this by checking passwords used in login attempts against a list of known weak passwords. If any of these passwords are used in a login attempt, the user is redirected to a page prompting them to change their password:

orcwebhosting

If the user clicks on the "Reset password" button, they will be redirected to the WordPress password reset page. WordPress functionality is not affected as no user needs to be logged in to reset the password.

Picture of Silvio Mazenauer

Silvio Mazenauer

For more than 20 years, I've been helping our customers get up to speed with web hosting, domains, websites or cPanel. And I'm here to help you too.

Your FREE digital work platform. With XtraMail you have your office with you everywhere.

Experience your eMail like never before with XtraMail.

Your email solution for private and business: XtraMail Webmail. With e-mails, video conferences, documents, calendars, contacts and a mobile app - plus over 40 other useful functions.

xtramail webmail teamwork