According to security firm Sucuri, brute force attacks targeting WordPress have recently seen a sharp increase – and they show no signs of slowing. In the second week of September, they ballooned to 35 million attacks per day – up from 5 million at the beginning of the year.
For the uninitiated, a brute force attack is the computing equivalent of trying to force a lock. Using a script, an attacker repeatedly throws strings of characters at a user’s password in an attempt to crack it. According to Search Engine Journal, these automated tools can generate passwords at a rate of thousands of time per minute.
Such attacks are far from a recent phenomenon. As a matter of fact, they’re nearly as old as the Internet itself – though the tools used to execute them have undergone significant improvements in recent years. That may be part of the reason they haven’t really been prevalent save for the last 15 years or so.
It’s rare that brute force attacks are targeted at any specific website – hackers more often than not use them as a sort of ‘shotgun’ approach, targeting swathes of websites in the hope that they’ll eventually come across one that yields its login information to them. The worst part is, it often works.
There are scores of WordPress blogs out there who still use the default username for their admin account, and a weak password besides.
The good news here is that it’s actually fairly easy to protect yourself from a brute force attack. Just take the following steps when configuring your WordPress site:
Use Strong Passwords: According to data collected back in 2011, 40% of all the web’s passwords appear on the top 100 most common passwords list. 71% appear in the top 500. That means that a hacker could feasibly configure a brute force utility to spam WordPress sites with those passwords, and eventually break in. It also means your own password cannot be one of these – it needs to be a long string of words, preferably with a few characters mixed in here and there.
Don’t Use The Default Username: Again, if your administrator account is named ‘admin,’ then you’re just asking for trouble.
Use A Brute Force Detection Plugin: There are plenty of security suites for WordPress that include brute force detection as part of their standard repertoire. Download and install one. That way, even if you get targeted by a brute force attack, it should get shut down before your website gets cracked.
There you have it. That’s pretty much all you need to do in order to protect yourself. It may sound easy, but you’d be surprised how many webmasters don’t – how many people just let it slip their mind.