Showing posts with label Brute Force attack against WordPress. Show all posts
Showing posts with label Brute Force attack against WordPress. Show all posts

Wednesday, June 12, 2013

Brute Force attack against WordPress websites

This morning I have log to 000webhost.com control panel to do some php programming and saw this message:

"
Potential WordPress problem (Brute Force attack against WordPress websites)
We have monitored on-going brute-force attack against WordPress websites, in order to keep your WordPress website secure, we recommend you do the following:

1. Please change your password for WordPress admin area.

2. Go to your cPanel > File Manager and find your wp-login.php file.

Temporary rename wp-login.php file into wp-login1.php.

You need to change a line in your wp-login.php to reflect the change to the file name. Its line 680 where the form action refers to wp-login.php
," 
Unlike hacks that focus on vulnerabilities in software, a Brute Force Attack aims at being the simplest kind of method to gain access to a site: it tries usernames and passwords, over and over again, until it gets in. Often deemed 'inelegant', they can be very successful when people use passwords like '123456' and usernames like 'admin.'

They are, in short, an attack on the weakest link in any website's security: You.

Due to the nature of these attacks, you may find your server's memory goes through the roof, causing performance problems. This is because the number of http requests (that is the number of times someone visits your site) is so high that servers run out of memory.

This sort of attack is not endemic to WordPress, it happens with every webapp out there, but WordPress is popular and thus a frequent target.

How Protect Yourself

Don't use the 'admin' username
The majority of attacks assume people are using the username 'admin' due to the fact that early versions of WordPress defaulted to this. If you are still using this username, make a new account, transfer all the posts to that account, and change 'admin' to a subscriber (or delete it entirely).

Good Passwords
The goal with your password is to make it hard for other people to guess and hard for a brute force attack to succeed. Many automatic password generators are available that can be used to create secure passwords.

WordPress also features a password strength meter which is shown when changing your password in WordPress. Use this when changing your password to ensure its strength is adequate.

You can use the Enforce Strong Password plugin to force users to set strong passwords.

Things to avoid when choosing a password:
  • Any permutation of your own real name, username, company name, or name of your website.
  • A word from a dictionary, in any language.
  • A short password.
  • Any numeric-only or alphabetic-only password (a mixture of both is best).
  • A strong password is necessary not just to protect your blog content. A hacker who gains access to your administrator account is able to install malicious scripts that can potentially compromise your entire server.
Plugins
Plugins can be used to limit the number of login attempts made on your site, or block people from accessing wp-admin.

Resource: wordpress.org