Home » Defense in Depth

Mitigating Brute Force WordPress Attacks

Posted 2 Dec 2009 | Comments Off on Mitigating Brute Force WordPress Attacks | 2,633 views

An interesting entry showed up in the ISC Diary. A company found that one of their customers was attempting brute force attacks against other customers using WordPress. Brute force attacks are rather simple in nature. They do not attempt to look for flaws in applications to gain access. Instead brute force attacks work by repetitively trying different username and password combinations. Brute force attacks against SSH and FTP services are pretty common. How should one defend against brute force attacks against WordPress blogs?

The most basic defense is a strong username and password combination. Do not use the default adminusername for your blog. Create another username for the WordPress administrator account, and delete the default admin account. If possible make the username different from the display name. After that, change the ownership of any existing published posts. Make the username/password combination even more difficult to guess by choosing a strong password.

As a second defense, throttling the number of attempts that an attacker can attempt will also help. A WordPress plugin such as Login Lockdown or  Limit Login Attempts can be used to temporarily block access after a certain number of failed attempts.

Removing the opportunity for an attacker to attempt the brute force attack is a bit more complex. Apache RewriteRules can be implemented for the login page (wp-login.php) and the administrative dashboard (/wp-admin) to redirect them to an HTTPS site. Since the HTTPS sites runs on a different port, it is relatively easy to restrict access to the administrative pages without impacting the reglar site. The restrictions could be source IP address restrictions or throttling.

Any website, especially a popular one, is going to be a target for attackers. A little planning in the implementation stages can help avoid a hacked WordPress account.

Comments are closed.