Brute Force Attack Hitting WordPress

by Ben Cook on November 30, 2009

Brute Force Attack on WordPress

Word on the street is that some WordPress blogs are being hit with a brute force attack that is essentially a script that continuously tries to guess the admin’s password.

Dennis Fisher has all the details over on Threatpost summing up the threat with the following:

The wp_brute_attempt() function takes 3 parameters, $ch which is cURL’s structure (cURL is a command line tools that can be used to perform HTTP requests). The other two parameters define the site and the password that will be tried. If the script logged in successfully, the page that gets returned by the server will contain the phrase “Log Out”, and the function will return a true value.

So how can you protect yourself from this kind of attack?

It’s actually fairly easy. Change the default administrator’s login name from admin to something unique and use strong passwords with numbers, capitalized letters, etc.

There’s also a plugin designed specifically to prevent this sort of brute force attack, called Login Lockdown.

The plugin “records the IP address and timestamp of every failed WordPress login attempt. If more than a certain number of attempts are detected within a short period of time from the same IP range, then the login function is disabled for all requests from that range.”

And last but not least, as a last line of defense you should always make sure to regularly backup your WordPress installation in multiple locations.

I know posts like this seem like nagging or a waste of time but the first time your blog is hacked you’ll be kicking yourself for not taking action.

Image Source: kadath

{ 6 comments… read them below or add one }

Sebastian November 30, 2009 at 4:35 pm

Also: .htaccess and .htpasswd are your friends.

Order Deny,Allow
Deny from all
Allow from your_ip_addy

.htaccess in wp-admin:

AuthUserFile /out_of_reach_for_web_server/.htpasswd
AuthGroupFile /dev/null
AuthName “GFY”
AuthType Basic

require valid-user

http://httpd.apache.org/docs/1.3/programs/htpasswd.html

Ben Cook November 30, 2009 at 5:12 pm

Sebastian, yeah, that would be a very good solution for bloggers who do most of their blogging from one place.

Unfortunately, I log in to work on my sites from all sorts of places including plenty of networks via my iphone so that solution wouldn’t work well for me.

Ryan Beale November 30, 2009 at 5:32 pm

Thanks for the heads-up. I use the Login Lockdown plugin and changed the admin user name to a new one. Hopefully, that will be enough to fend off the attack

Ben Cook November 30, 2009 at 6:03 pm

Ryan, from what I’ve read that should safeguard you from this specific threat. I’m not sure how widespread it is just yet but when a script is released into the wild like that, there tend to be plenty of people willing to give it a try.

Ryan Beale November 30, 2009 at 6:07 pm

Cool. Thanks again!

Sebastian November 30, 2009 at 6:15 pm

Ben, you can use LIMIT (requiring a valid usr:pw for access to wp-admin) from any place. In addition, you can make use of a somewhat unique and not that guessable GET variable to restrict access to the wp-admin directory. Or, just use a proxy … there are so many solutions.

Previous post:

Next post: