If you own a WordPress site you may have received an email from your web hosting company about a new WordPress brute force attack. I run dozens of sites in one day I’ve received 4 from different host; they almost read like spam, but don’t disregard this is a very real threat. Instead of reinventing the wheel and rewriting what all of the experts are writing, I thought I’d take this post to share my research and information I’ve gathered from some of the most reputable folks in the WordPress community.
Before I dive right into the research let’s review some of the basic FAQ:
A bot (program to search the internet) attempt to login to your WordPress admin page using common usernames like Admin, and common passwords. They call it brute force because they don’t just try 1 or 2 times, the try 10,000s times until they’ve exhausted all attempts.
What can you do to protect your WordPress site?
If you are using the Username Admin, STOP NOW!!! Avoid other common names too like your name or the name of your site. Also use a strong password numbers, letters, and special character combination is best; and again avoid common words and words linked to you.
I have a strong username and password, so I am safe right?
Yes and no. The attacks may not get into your site but the volume of attacks on your host’s servers could cause an overload and brief interruptions in service.
How do I know if I’ve been attacked ?
Unless you are look at your logs and can see the volume of attacks you won’t (see the Sucuri post below for examples). The best thing is to change your password just in case. Even if the attack was successful they may not use the information they have gathered now, so it’s best to change your information to avoid future use.
Can these attacks only happen to WordPress? Do I need a new type of site?
Brute force attacks can happen to any type of site, with a username and password log-on including c-panels. The NextWeb article below even reports some Joomla sites were attacked too. WordPress site are just easier targets because they are millions of WordPress users both experienced and new to WordPress; and many WordPress users don’t change the default set up username Admin and choose simplistic password. So no you don’t need a new site just tighten the protections on the one you have.
- Mass WordPress Brute Force Attacks? – Myth or Reality- www. Sucuri.com
- WordPress Brute Force Attacks, and What You Need to Do About it- WordPress Beginners- www.wpbeginner.com
- Check your security settings: Brute force attacks against WordPress and Joomla sites have tripled- thenextweb.com
- Hackers Point Large Botnet At WordPress Sites To Steal Admin Passwords And Gain Server Access- http://techcrunch.com
I hope this information has helped you understand those scary emails from your host, just a little bit better. If you have any great research you’ve found regarding the recent brute force attacks share the link below, the more we now about these attacks the better we can protect our site.