From the Wordfence blog. Used with permission
What’s a brute force attack?
Fundamentally, a brute force attack is exactly what it sounds like: a means of breaking in to the back end of a website with relentless successive attempts. With a brute force attack on WordPress websites, a hacker attempting to compromise your website will attempt to break in to your site’s admin area by trial and error, using thousands of possible username/password combinations. This is usually accomplished with automated software specifically designed to generate and then try countless combinations one after the other, over and over, with the aim of finding a needle-in-a-haystack combination that will let them into your WordPress admin area. From there, they can wreak havoc on your site to their hearts’ desire.
How do hackers use brute force attacks against websites?
Brute force attacks are difficult, if not impossible, to carry out manually. Instead, hackers write simple scripts, called bots, that carry out thousands of these break-in attempts against websites on auto-pilot. Typically, these bots are custom-written by the attackers and designed to be easily distributed across many hacked machines. These groups of bots, or botnets, work in conjunction with other commonly accessible tools that either generate thousands of passwords or use a wordlist. The latter is often referred to as a dictionary attack, because of their reliance on “dictionaries” or long lists of words to try as a list of passwords and/or usernames on your website. These lists can be reused by many hackers over and over.
Writing this type of code is very simple entry-level programming, so it’s quite accessible to virtually anyone who may want to try their hand at malicious code-writing. The tasks the bot must carry out are very basic from a programming perspective: they must set up some parameters (e.g., access your site’s login form), perform a request (try a username/password combination) and check the response (whether it worked to sign in to your WordPress admin) – and then set up to repeat until it’s successful.
Brute force attacks on your site can continue indefinitely, until the bot either discovers a username/password combination that will let the attacker into the back end of your website, or the bot runs out of passwords to check.
What do hackers get out of it?
Once attackers have gained access to your website, they can use its files and the web host server to cause a wide variety of damage through malicious behavior, including:
- Defacement: your site can display unwanted and sometimes malicious content, your own content may be deleted, and your website can be taken down altogether;
- Malware distribution: your site’s pages may infect your visitors with malware, ransomware and viruses;
- Spamvertising: Your website may display spam content and/or links to spam websites;
- Redirection: Accessing your domain name may cause your visitors to be redirected to malicious websites, or to pages that contain affiliate links and make money for the hackers;
- Stealing system resources: by using your web server’s resources, attackers are carrying out tasks such as email campaigns and content delivery on your dime;
- Fun: It may be hard for some people to imagine, but some attackers, particularly younger ones, are simply bored and find the act of hacking into strangers’ websites entertaining, particularly in the case of brute force attacks, which are relatively simple to learn and carry out.
How do I best protect my site?
The first and best line of defense against brute force attacks is to have a very strong username and password combination. Don’t use “admin” or an easily guessable admin username such as the URL of your website or “webmaster.”
Delete any admin level accounts you don’t need. These remove accounts that could be compromised.
Because many brute force attacks work with a preset list of dictionary words as a password list, the crucial and primary goal is to have a password that isn’t easily guessable. Use a password generator to create long, strong and random passwords for your WordPress admin accounts, and then rotate those passwords regularly – for example, every 60-90 days.
Enabling two-factor authentication on all your admin accounts is an excellent way to prevent brute force attacks because even if an attacker guesses your password, they don’t possess your mobile device, so they can’t sign in. It is worth noting though that if you have XMLRPC enabled, attackers can use it to bypass your 2 factor authentication because the WordPress platform does not provide a way to support 2 factor via XMLRPC at present.