Recent increases in brute force attacks on WordPress websites

WordPress is the most popular content management system on the internet powering around 27% of the entire web and it’s clear to see why; it’s easy to use for content publishers and site owners and it’s great to build on for developers. It’s open-source, thoroughly documented and has vibrant user and developer communities. It’s been our CMS of choice for the last few years and looks set to remain that way in 2017.

However, with popularity comes exposure. Like an A-list celebrity, the wider world loves to see an icon fall so it’s no surprise that WordPress has become a prime target for hackers, spammers and other ne’er do wells in the same way that Windows has over the last few years. The more installed users a platform has, the more damage a baddie can do.

Although our Aquarius framework for WordPress means that our sites are less reliant on (potentially vulnerable) third-party code than many other WordPress-based websites, we still take significant precautions against attacks and monitor every facet of our sites constantly. As such we recently noticed that the prevalence of brute force attacks from bots on our WordPress-based sites was significantly increasing.

What’s a bot?

A bot (also known as a web robot or spider) is an automated software application that crawls across the internet by following hyperlinks. Like any episode of The Transformers, there are good bots and bad bots. Good bots come from the likes of Google who use them to keep their search indices up-to-date and relevant. Our server monitors also use good bots to check that a website is up and running correctly, alerting us the minute an issue comes to light. Then there are the bad bots, the Decepticons of the internet. Their objective is to bring websites and servers down and to steal data. Most often, these bad bots operate through brute force attacks.

What is a brute force attack?

In a brute force attack a bot or bots repeatedly visit your website and attempt to carry out some malicious activity. This usually takes the form of spamming email accounts using your website’s mail server, skewing your analytics with referral spam, trying to login to your CMS by guessing usernames and passwords, injecting code into your site’s database by submitting an enquiry form or just hammering the server with file requests which eat up bandwidth and other server resources until it crashes.

The concerning thing about the recent spate of brute force attacks is that they could very well be state-sponsored. We don’t want to get political but you can read more about the source of the attack on this blog post entitled Huge Increase in Brute Force Attacks in December and What to Do by leading WordPress security experts Wordfence.

Suffice to say, we are monitoring the situation carefully and working in partnership with our hosting providers and security experts around the world to keep our sites as safe and secure as possible.

Securing your WordPress website against brute force attacks

In the meantime, here are some tips for keeping your WordPress website secured against brute force attacks:

• Install a good Security plugin such as Wordfence or Sucuri Scanner and regularly check and respond to its activity logs
• Keep administrator level accounts to an absolute minimum
• Never use ‘admin’ as an administrator-level account username
• Change your administrator level passwords frequently
• Keep WordPress core and plugins up to date
• Only use plugins from trusted developers that are receiving regular updates
• Keep filesizes (primarily video, images and downloads like PDFs) as small as possible – some bots are clever enough to look for the largest files on a website and constantly request them to make the demise of the server quicker
• Host large files on an external server EG YouTube / Vimeo for video or Google Drive / Dropbox for PDF’s

A final thought

Bots are getting cleverer. As advances continue to be made in technology, specifically in the area of artificial intelligence, the abilities of the bots increases. Recently we’ve seen bad bots that actually carry out DNS lookups on your domain name and then use the names listed within the registry (owner, technical contact etc.) as possible CMS usernames. It’s getting increasingly difficult to stay ahead of the bad bots.

It’s worth thinking about the effects that a successful brute force attack on your website would have on your business. Most of us would admit that our site being down for a period of time would be embarrassing and financially costly but a data breach and the subsequent effects to our brand and reputation is simply not acceptable.

To discuss website security or how you can protect your WordPress site against brute force and other forms of attack call Matt Johnson on 01284 830888.