Brute Force attacks on wordpress/wp-login.php are the latest menaces for WordPress websites, consisting of several login attacks that can inject malware, transform the account of the host into a bot and essentially compromise the entire site and server.
The first major attempt was made in April, when hackers reportedly used 90,000 servers to hack into website admin panels with the account name ‘admin’ and a weak set of passwords.
The infected sites in such an attack are compromised with the backdoor that remains open even after the password changes; victims remain clueless that their sites are being used as server botnets to make password-based attacks on other WP domains.
Matthew Prince, CEO of Cloudflare, said that the tactics used in this attack campaign were similar to the ones used to create the Brobot botnet, a tool used to launch web attacks on some of the major financial institutions in the U.S. last year.
The irony is that hosting companies shrug off their lack of security measures and put it on the users – you had a weak password set, that’s the reason your security was comprised.
And this statement clearly means we shouldn’t rely on hosting companies to protect our WordPress sites/blogs… period.
Because the most they are going to do is provide a remote backup service for an additional monthly fee.
So rather than being caught in a dilemma and leaving your site vulnerable to future attacks, you can take these security measures:
1. Create a master password
While you should always have a form of web security software for your computer, you can also enhance your general browsing safety by creating a master password. This can be done manually or with the use of software, but the latter might be a better option because you can add additional protection, such as saving WordPress files in a protected cloud vault.
Also, users of WordPress.com can configure two-factor authentication. This is going to significantly reduce the vulnerability of the login.php page.
2. Protect the Cookie on POST request
A GET request influences the page loading speed and is made on the WordPress login page when a real user tries to login, but protecting a Cookie from this request will block the login page because the POST request will not contain the Cookie.
This blocks the non-user bots from placing POST requests and gaining access to the login page.
3. Update existing plugins and install security plugins
By sticking with outdated plugins, you’re literally placing a welcome mat out for the hackers. In order to limit the chances of unauthorized access, update every plugin that’s currently in use and delete the ones that are deactivated. The next step is to install some of plugins that are exclusive for security, including;
Rename wp-login.php
After the initial setup, this plugin is activated and it protects the main location of the login by renaming its URL, blocking random login attempts in the process.
Botnet Attack Blocker
This plugin comes in handy when you hesitate to rename the wp-login.php page. It monitors unusual IP traffic and blocks attempts.
CAPTCHA
The simplest of the lot, CAPTCHA doesn’t require any configuration and helps to protect the site against password-guessing attacks.
Did you take security measures against brute force attacks? Feel free to leave comments.