04.14.18
by

WordPress wp-login.php Brute Force Attack


“WordPress” is a brand famous worldwide, the only CMS that no one is ignorant of, whether the site is hosted on Linux or Windows. It is a platform that supports several individuals and organizations in building and running their business. But as the saying goes, “Avoid popularity, as it brings along snares “. Hacking is the biggest ‘snare’ on the Internet today and to WordPress. WordPress is facing the problem of brute-force attacks. Unlike hacks that aim to cause vulnerabilities in software, a brute force attack aims to gain access to a site by continuously trying the username and passwords until they get into it. They can be very successful when people use passwords like ‘123456’ and usernames like ‘admin.’.

The brute force attacks came into the limelight in April 2010, becoming a significant threat to WordPress. About 90,000 compromised servers are continuously trying to break into WordPress websites by trying to guess usernames and passwords to get into the WordPress admin panel. Because of these attacks, the server runs out of memory due to many continuous HTTP requests, causing a storage problem and slow user speed.

This type of attack is widespread for websites, but since WordPress is very popular, it has become the chief target for these attackers.

But, since technology has given rise to these evils, the same technology has the ways to resolve and tackle them. Following specific protective rules, we can protect our website from these attacks.

Don’t use ‘ADMIN’ as your username. The past reviews say that many WordPress websites were hacked as their owners used ‘admin’ as their username. So, if you have an account with this username, create a new one today and move all the posts and essential data to it.

Passwords are a great way to secure our accounts. A good and challenging password would make it impossible for brute-force attackers to succeed in guessing them. So, select a good password for your account.

Things to avoid when choosing a password:

  • Any combination of your name, username, company name, or the website name.
  • A word from a dictionary in any language.
  • A short password.
  • Any numeric-only or alphabetic-only password (a mixture of both is best).
  • The plug-in can limit the number of login attempts on your site or block people from accessing WordPress-admin. Many different plug-ins are used for various security purposes like Admin Renamed Extended, Enforce strong password, Limit Login Attempts, BruteProtect, Block brute-force attacks, etc.
  • It’s a good practice to keep a backup of your WordPress. This way, you can ensure your data and posts are secure, even if the attacks continue.
  • It would be best to keep WordPress updated to protect it from exploits.
  • Even if your WordPress website has been hacked, you can clean it up and continue with it.

These were some of the simple measures for protecting your WordPress. Some technical and even more secure measures can be implemented to secure your WordPress. These are illustrated as follows:

  • Monitor your visitors to check who is trying to access your WordPress admin panel. This can be done using CPanel’s ‘latest visitor’ tool. You might also find several IP addresses attempting to hit your wp-login.php script at a much higher volume. This means your site could be under a WordPress brute force attack.
  • You could set up a Cronjob to send the details of your daily attempts to WordPress. This can be under cPanel->Advanced->Cronjob->Cron email->Update email and perform required settings. These settings would give you a detailed list of all the IP addresses and how many times they tried to access your wp-login.php script. This would help you at times when you are not able to review your WordPress account. If so, you would know whether you are being targeted for the brute force attack, and appropriate protective measures could be taken.
  • You can even block the unwanted IP addresses you don’t want to access your WordPress admin using .htaccess rules. These stopped IP addresses will immediately be given a 403 access denied error as they would attempt to access your wp-admin.
  • You can also protect your server. When you lock down wp-login.php or wp-admin, you get a 404 or 401 error when accessing those pages. To avoid this, add the following code to your .htaccess file: ErrorDocument 401 default.
  • For Nginx, you can use the error_page directive with an absolute URL.
  • You may also protect your wp-login.php file and wp-admin folder using a password to add more security to the server. You will need to create the .htpasswds file for this purpose. You can keep this file either inside or outside your public folder.
  • Cloud/proxy services like Cloudflare can block the IPs you want before they reach your server.
  • You can scan your website with an online malware scanner like sitecheck.sucuri.net/scanner to indicate whether you are a target of a brute-force attack.

If these measures are used and implemented correctly, the problem of brute force attacks could be avoided and resolved by everyone on an individual ground, and this threat would no longer prevail on the Internet.