WordPress Brute Force Attacks

You may recently have read about recent attacks on WordPress sites in the national press. Many sites (including ours) have seen a dramatic increase in brute force attacks. Brute force attacks is essentially a type of attack where the attackers try and guess your username and password.

This isn’t often done by hand, but a computer that can try lots of combinations very quickly to try and force their way in.

Intared sites are well protected from brute force attacks

We’re well prepared for these types of attacks and our infrastructure is well positioned for situations like this. And, if all the above is breached we have some front-end security measures in place too. Sites automatically lock down if a password is entered incorrectly a certain number of times, so it’s very hard to force your way in without knowing the password beforehand. In addition to our infrastructure helping to protect against attack, we introduced some user level protection

We protect that using encryption techniques to make it very hard to see what your password is – even looking at the values stored in the databases, you’ll see a set of letters and numbers that are practically impossible to decipher.

Going further, these particular attacks are coming from a number of ‘bad’ IP addresses, all of which are automatically locked out of our system, so even if they did ‘know’ your password, they still couldn’t access the site.

All in all, our sites continue to be well-protected and there is a vigilant eye on the behaviour and attack patterns. We’ll create a notification if anything changes, but at present, our measures are responding exactly as they should in the face of these attacks.

As you would expect, this type of attack depends on frailties in the sites hosting environment (i.e. not proactively blocking them) and in your username and password.

Most of the attacks are attempting to gain access using the ‘admin’ username. This is the default on WordPress installs. We never have a user account with the ‘admin’ username for exactly this reason. If you run your own WordPress powered site and your username is ‘admin’ we would urge you to change it as soon as possible, that will at least mitigate some of your risk.

Strong Passwords

Passwords need to be strong. Our system forces strong passwords so they are not easy to guess by bots like this – and with a lock out after a few failed attempts it is unreasonable to expect anything to ‘guess’ it. That said, people have a tendency to use the same password across a number of sites and it only takes one of these to be breached and the attackers have your password for every site you have a profile on. This is the most common way accounts on Facebook, Google and other major sites get hacked.

It is therefore important to make sure your password is unique, and strong.

We are currently reviewing introducing two factor authentication on sites (whereby a confirmation is required to log in, using your mobile phone for example) and will update on this in due course.