The latest brute force attack on WordPress

on January 3rd, 2010 by Richard Orelup in Development - Wordpress
| Share

This article has been moved from it’s original spot on the Mu Studios website, so if it looks familiar you know why.

So I logged into my admin today to start work on my first real blog post and I happen to see an article listed about a new distributed attack against WordPress. The story listed linked to this article about the attack. After seeing that it was just a brute force attack I was relieved because it wasn’t anything to scary.


For those who don’t know what a brute force attack, it is probably the most simple attack out there. In a brute force attack, the attacker will repeatedly try logging into your system using a different password each time. They will either use a random character string each time or use a dictionary attack where they have a list of common passwords and attempt all those. There really isn’t isn’t much thought behind the attack and they are just trying to win by sheer brute force of attempts (sometimes, and in this case, from a network of computers.) This attack has been around forever and used lots of times.

What makes systems like WordPress obvious targets for these kinds of attacks is the use of a default administrator (or root) account. If this was not a given for attackers, they would have to guess the username and password, but because of this given they will attempt to just attack main “admin” account.

So how can we defend against this you say? Well there are lots of ways to handle this.

The first change is the rename the admin account to something else different. This will stop probably 90% of attackers because they are only going to try the default account. Counting on the theme and if the attacker is going after you (instead of just a random site they found through Google) they may be crafty enough to figure out your other usernames. So there are more options to look at.

Another given is the location of the administrative pages for WordPress. By default it is locate at /wp-admin/. By moving this folder it will just add another layer of confusion to the would be attacker and stop more of the people who are just expecting the defaults, but again is just a distraction to those dedicated enough to find it. For most I would not suggest doing this, because you have to make a lot of changes elsewhere and will make upgrading later an issue. If you want more info on this you can read about it here. I personally do not do this because of the upgrade hassles.

For a brute force attack to work, they need to be able hit you repeatedly to try out all their password combinations. So the next step is to attempt to limit their chance of attacking the site. There are 2 plugins I know of –

Login Lockdown

User Locker

That both work as plugins to WordPress itself. They both will disallow logins after a certain number of failed attempts which is good but User Locker handles it a little better, specifically against this attack. What Login Lockdown does is record the IP address of the failed attempts and blocks ip address in that range after so many failed attempts. That helps against this attack since each computer gets a limited number of attempts but this is a distributed attack so all computers will most likely not fall into that range. User Locker on the other hand doesn’t care about IP address and just locks the account completely after a certain number of fails. Now every computer the attacker has is now blocked from attacking.

The plugin solution is going to be the smoothest for people using the admin panel because it should never really effect them unless their account is attacked. The next solution is the best in terms of security but will possibly be a pain (counting on your situation) to administer.

The most effective way to stop someone from getting to your administration is to limit access to the page by IP address. To accomplish this the first thing you need to know is your own IP address. If you don’t know how to figure it out, just go to –

http://www.whatismyip.com/

And it will tell you. After you have that you need to create a new file in your wp-admin directory named “.htaccess” (you have to have the period before it) and in that file put in –

order deny,allow
deny from all
allow from ###.###.###.###

where the #’s are replaced with your IP address. Ask a friend to go to your wp-admin (who’s not on the same internet connection as you, they will most likely have the same IP address) and make sure they get denied. Now only someone on your internet connection can ever see the page. This will stop all attacks on the admin side as they can no longer even have the chance to try a password. As well this will stop other possible vulnerabilities in the admin files that might later be discovered (there have been in the past.) If you want to allow another IP address all you have to do is add another “allow from” line with the other IP addresses.

The problem with this system is that now only 1 IP address can get in. As well if you are on a connection like I am, the IP address changes. So every time this happens I have to update that file with the new IP address. As well if you like to go to the local internet cafe and such to write in your blog you will have to update that as well every time it changes. There are ways to do things to make this easier but I’ll save that for another post because it will involve a lot more technical stuff.

I hope this helped some people out there better understand this recent attack news and I hope everyone can take advantage of making their blogs more secure. Also feel free to comment with any questions or corrections you may have.

***UPDATE***

Just put up a new post about doing a similar thing when using a service like Cloudflare which this blog is.

Comments: 4 Tags: , , , , ,

4 Responses to “The latest brute force attack on WordPress”

  1. […] The Latest Brute Force Attack on WordPress […]

  2. Fernando Hal says:

    Thanks for the information. I’m looking for similar solution, but seems the best way to handle this is by presenting captcha after certain number of fails, like how Yahoo or Google handle it. Do you know of any solution like this?

  3. I personally don’t know of any solution that adds a CAPTCHA but I like the htaccess solution as it works well for myself as I can easily change this info on the rare occasion that I am someplace different or IP changed. I can’t stand Captcha’s so for me I wouldn’t ever consider that the best solution. :)

  4. thanks a lot for such a valuable article…i prefer to block login after 5 attempts of failing login for a or half…working still good…

Leave a Reply

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>