A brute force attack is the least sophisticated technique online criminals have to compromise WordPress sites. It doesn’t take advantage of obscure coding errors or advanced social engineering techniques. Rather, a brute force attacker simply tries lots of username and password combinations until they find one that works. The execution may be more or less sophisticated, with some attackers using botnets to attack thousands of WordPress sites simultaneously, but the heart of a brute force attack is guesswork informed by what the attackers know about commonly used credentials.
Unsophisticated as brute force attacks are, they can be devastatingly effective if a site’s security isn’t up to snuff. Brute force attacks take advantage of user error — sites with easy-to-guess common passwords used in conjunction with common or default usernames can fall to a brute force attack in seconds.
Because brute force attacks are successful against naïve WordPress users, they’re a common technique. Sucuri, the WordPress security company, publishes up-to-date information about the prevalence of brute force attacks against the WordPress sites it protects. There are tens of millions of malicious login attempts every day, and Sucuri covers a tiny fraction of WordPress sites on the web.
Basic Brute Force Mitigation
Brute force attacks rely on the attacker’s ability to guess the correct credentials. That’s easy for common and simple credentials. It’s impossible for complex username and password combinations. The best way to reduce the likelihood of a successful brute force attack against your site is to make sure all user accounts have long complex passwords.
It’s also advisable to change the username of the default admin password from “admin” to something less obvious. This plugin will help with changing the admin username.
You might also consider using a two-factor authentication service like Authy. TFA massively reduces the impact of brute force attacks even if your users choose weak credentials.
Advanced Brute Force Mitigation
With secure login credentials and TFA, brute force attacks are essentially mitigated as a security problem, but they are still an annoyance. Every time a brute force bot attempts to login to a WordPress site, a proportion of that site’s resources are used. In the most serious cases, a brute force attack can cause a site’s available RAM to be consumed, resulting in what is effectively a denial of service attack.
To reduce the impact of failed login attempts, WordPress site owners can implement any of several techniques that are outlined in this article from WordPress.org. But if you’re not enthused by the idea of fiddling with your WordPress site’s files, there are plugins that will do the job for you.
If you’re a user of the Jetpack plugin pack, you’re probably already covered. Jetpack includes a sophisticated brute force mitigation component that will blacklist malicious IPs and reduce the resources they consume.
Brute Force Login Protection
Not everyone’s a fan of Jetpack, and Brute Force Login Protection is a popular alternative. It will limit the number of login attempts allowed from the login page and blacklist IPs that appear to be involved in malicious login attempts.
Brute force attacks are an annoyance but there’s no reason that a properly secured WordPress site should be compromised by this unsophisticated technique.