If you are a blogger or a webmaster, you might be aware of an ongoing attack on WordPress websites from all around the world. The unidentified attackers are reportedly using infected computers of daily home use to launch a brute force attack to break into the websites’ administrator account.

Stop Brute Force attack on WordPress

A brute force attack is typically an exhaustive trial and error method by means of which a computer program tries to hack through any security barrier by guessing the right password.

Using the combined Internet connection of several daily-use computers, a Botnet is targeting WordPress and Joomla based websites across the globe. According to HostGator, a popular web hosting service, a Botnet is currently distributed over 90,000 IP addresses involving over 100,000 bots. Any minute now, the next attack could be on your website. Can you survive it?

The CEO of CloudFlare, Matthew Prince mentioned the following in the company’s blog:

“One of the concerns of an attack like this is that the attacker is using a relatively weak botnet of home PCs in order to build a much larger botnet of beefy servers in preparation for a future attack.”

A brute force attack on any website might be handled quite simply – block the IP addresses from where the attack is coming from. But this solution isn’t applicable over here. The Botnet is implementing the internet connections of typical home users worldwide. And the network involves more than 90,000 IP addresses. How many IPs can you afford to block?

Unlike other minor attacks that occur frequently now and then, this attack seems to be more organized and on a large scale. Some sources have also suggested that these unknown attackers may be in the process of targeting the powerful web servers to take control of websites entirely. As we brace ourselves for a larger and more powerful attack, its time to explore our options to prevent such an attack from affecting our website.

 
A common misconception

A few people would suggest you to ditch WordPress and switch to another CMS. Few others would say its not secure enough. This is a pure myth; in reality, any CMS based website can face an attack. WordPress is customizable, user-friendly and easy to use. That’s why this CMS is particularly popular. In this case, WordPress is a potential target simply because many people use it.

Note: The security tips provided below are mainly centered on WordPress, but they are also applicable for other platforms.

 
Change the default user “Admin”

The Botnet attack is reported to use the username “admin” to apply brute force on the password to gain access to the sites’ administrator account. Most WordPress users still use the default user “admin” to manage their website. Prior to WordPress version 3.0, changing the default username wasn’t even an option.

Choose a unique username for the administrator account, and assign a strong password for the account. If you are already using the admin username, you should switch to a different administrator account. For this, log in to the existing admin user and create a new user with administrator privileges with a strong username-password combination. Next, login to your new administrator account and delete the older account, assigning all admin related posts to the new account. Alternatively, you may also admin a subscriber. You may also change the username of admin directly with the help of a suitable plugin.

 
A strong password

Brute force attacks use a combination of random characters to try and crack your password. But the passwords are generated based on some basic patterns. If you want to prevent an attack, make your passwords strong. A typical password should be at least 6-8 characters long, along with a well-formed combination of alphanumeric and special characters. It should not contain the common dictionary words or names of person, place, animal or thing. If you want a really strong combination of characters, consider using a password generator and keep the password somewhere safe.

 
Remembering strong passwords

Creating a password may be easy; the harder part is to remember it. If its really irrelevant to you, it might be difficult to remember it. You can develop your own algorithm using your creativity to deduce the password in case you forget it. If remembering a password is still a problem for you, try using a password manager or better still, store it safely in your email draft and make sure you don’t delete it.

 
Saving Server Resources

Modifying your default administrator account username and password would protect your website from the brute force attack, but your site is still vulnerable. Continuous hits from the Botnet may leave your hosting server unresponsive. These continuous hits will keep the server busy processing requests. To protect your website from suffering continuous hits, the following methods may be useful:

Limit Login Attempts: A particular IP address could be temporarily barred from accessing your website after a limited number of login attempts. Limit Login Attempts is a WordPress plugins that can add such a functionality to your website.

Lockdown WP Admin: To make your WordPress administrator account more secure, you may want to hide the login page from attackers. Lockdown WP Admin is a plugin that conceals the WordPress login pages (wp-login.php and wp-admin) from intruders and denies direct access to these pages unless the user is already logged in. The plugin also allows you to add HTTP authentication using a custom username-password combination.

IP based Login: If your internet connection uses a static IP address, you can configure your hosting server to accept login requests only coming from your IP address. You may whitelist a group of IP addresses if you login from multiple connections frequently.

Use Third Party Security Services: Register your website with online security services such as CloudFlare. CloudFlare has rolled out a new service for all it’s users that is able to detect a brute force attack and protects websites against it. So, if you are a registered CloudFlare user, your website is protected from such attacks.

 
Monitoring website activity

Additionally, you may want to track your website traffic for any suspicious activity. You can monitor resources to find out whether an attack has been  attempted on your website or not. ThreeWP Activity Monitor is a WordPress Plugin that tracks various website activities including number of login attempts, password reset requests, changed passwords, change in user credentials, and a lot more.

Moreover, you can use a security plugin to protect your website from unwanted attacks. Wordfence Security is one such WordPress plugin that scans your website for malicious activity. It includes a firewall, an antivirus and a live traffic scanner.

 
Recovering from an attack

If you have already been a victim of brute force attack, the only hope to recover some data is from a previously made backup (assuming that your website data has been corrupted in the attack). You may log in to your server, change all your login credentials  and wipe out your existing site contents entirely and set up a fresh installation. After installation, you may restore data from the backup you created earlier.

However, in case you aren’t lucky enough to have a backup of your site contents, the only thing you can do is ask for support from your hosting provider. They will certainly do their best to help you out of the situation.

Hackers have become a lot smarter these days. They design sophisticated algorithms to launch successful attacks on targeted websites around the world. With the advent of these hackers, webmasters have to become more careful. Implementing the right security measures can prevent your website from becoming a prey.