The WordPress platform is a hugely popular and widely used worldwide. This popularity makes WordPress the target of attackers and makes brute force attacks (exclusively targeted).
Unfortunately, many users do not have knowledge and awareness of required safety criteria and end up failing and helping much a brute force attack to be successful in making use, for example, the username “admin” or choose a weak password.
You as a user have the obligation and it is your duty to at least choose a strong password with a combination of uppercase and lowercase characters added with special numbers and characters. The latest version of WordPress has further improved its relationship with the user when it will set a password for your personal account, suggesting and helping to make a good choice in this regard. Behind this feature is a platform step that helps users to avoid their sites to hack through brute force attack.
How does the brute force attack happen on WordPress?
A brute force attack can be accomplished manually or using methods and tools that automate the process.
How is the brute force attack done manually?
The attacker accesses the address authentication WordPress – abcsite.com/wp-login.php – and makes attempts to login by entering a username and password. It will repeat the action until they hit a combination.
How the brute force attack is done in an automated way?
The attacker reports the address of the target site authentication in WordPress through a tool; one or more user names and reports the address of a password dictionary on your computer, a text file with multiple passwords, one per line. The tool will make all attempts to log in with passwords available in the dictionary for each user’s informed name. At the end of the process, combinations of usernames and passwords will list, and its result: failure or success.
How to perform brute-force attack on WordPress through WPScan
The WPScan is an amazing tool for scanning WordPress vulnerabilities and its plugins. It can also use to simulate brute force attacks.
Through the feature, you can define how many threads will occur simultaneously. Direct brute force attack to a specific username or all of them.
The example below directs the brute force attack for a user name in particular, in this case, “admin”, and query the dictionary-of-passwords.lst file where there are thousands of passwords to use in combination.
ruby wpscan.rb --url siteonWordPress.com --wordlist dictionary-of-passwords.lst --username admin
In another example below, the brute force attack is directed to all registered users and 30 attempts will be made at the same time.
ruby wpscan.rb --url SiteOnWordPress.com --wordlist dictionary-of-passwords.lst --threads 30
How to prevent and avoid brute force attacks on WordPress
It is very important that you take action in advance to prevent brute force attacks that can direct to your WordPress website. Below you will find several simple actions, and you just need to implement them in your installation and user account to ensure greater security for WordPress.
Usernames against brute force attack
The simplest rule of all: do not use the username “admin”. When performing a new WordPress installation, choose a different user name for that, and if it is in use know how to remove it.
You should also prevent the registered user names that are captured by the attackers. If a brute force attack is performed by WPScan and without informing a specific user name, the tool will perform another method before the start of the process to obtain user names. If another tool used, the attacker will perform some process for this list.
Either through WPScan or any other tool, you should avoid listing the user names registered in WordPress and prevent the attackers from possessing the list.
Secure passwords against brute force attack
I relate the use of weak password with the backup data. You only give attention to the fact and make choosing a secure password when someone attempts to discover the combination. About backup, have you lost some important data and could not recover?
Internet browsers deal well with the suggestion and store strong passwords to link with your accounts. Those who do not offer this feature can enhanced with extensions and similar programs.
WordPress provide guidance and implement resources to help the user in choosing and managing strong passwords and this became even more evident in the latest version. There are also plugins that force the user to choose a strong password since the poor are not allowed and blocked for use.
A strong password consists of lowercase characters, uppercase and combined with numbers and special characters.
Two-step authentication and captcha to help users
The captcha feature sometimes hinders the user’s life. But there are elegant options that can separate the robots and humans through simple and smart features like the answer to a mathematical account of the “five + XXX = 84” or dialing a form field that states that the user is not a robot.
The two-step authentication can be implemented unlike the captcha and thus work with the criterion “what are you?” For user authentication beyond “what you know”.
Protection for wp-login.php file
In any attempt to brute force attack, it will directed to the wp-login.php file. There are protection methods that can be applied to it to make life difficult for attackers. Some of these methods may exhibit an extra effort of the users and not others.
Implementing a Web Application Firewall (WAF) will filter access to the wp-login.php file and allow only legitimate access and it is transparent and the user does not notice and avoids an extra effort on their part. It is a solution that needs to hired and requires financial investment.
Example: WAF of Sucuri
Against the tide of the WAF, which requires financial investment and is transparent to the user, you can implement an HTTP authentication in the wp-login.php file where a login and user password is required to access the file and then report their data access to WordPress. Another possibility is to restrict access to specific IP addresses, for this, you need to rely on fixed IP addresses.
Protection from spammers and unidentified references
When you do not have an implemented WAF, it is advisable to use an additional code in your .htaccess file, if the Apache webserver use to prevent access and brute force attack directed at wp-login.php file and wp- comments-post.php by unidentified references. This practice is very common for spammers who inject the links and malicious code on as many sites as they can.
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond% {} REQUEST_METHOD POST
RewriteCond% {REQUEST_URI} (wp-comments-post | wp-login). \ Php *.
RewriteCond% {HTTP_REFERER}!. * abcsite.com. * [OR]
RewriteCond% {HTTP_USER_AGENT} ^ $
RewriteRule http (. *): //% {REMOTE_ADDR} / $ [R = 301, L]
</ IfModule>
I hope you understood how a brute force attacker applies the techniques and also understood the techniques to have a more secure WordPress website that can help you to prevent this type of attack.
