In my recent article here I showed you how to secure your WordPress installation. WordPress is a very popular blogging and content management software. It has grown a lot over the years and the more it became popular the more it became a target for sophisticated attacks from hackers and criminals. So, it is extremely important that webmasters like me and you keep their WordPress installations up to date and secure.
WordPress has been target of many sophisticated attacks, but not too long ago some hackers went back to the basics (so to speak) and they are attempting brute force attacks against the login pages of a WordPress installation. These hackers took control of over 100,000 computers – most likely some sort of a bot net – and they are using these computers and their Internet IP addresses to run automated attacks against other websites.
As an example, my own website (http://www.webhostingresourcekit.com) uses WordPress. I am not using it as a blogging software, but more like a content management system as you can see. When I noticed the increase in attacks against my website I took additional action. I had already secured WordPress through plugins and other measures, but I did not want to risk to become victim of a brute force attack. So, I added the extra protection by forcing an additional layer of password protection onto my WordPress login and administration area. These 2 layers are independent from each other and even if one would guess the first level user ID and password, it makes it much more difficult to start automated attacks. I am not saying it is impossible to hack my website, but it takes care of most automated attacks. Online security is like security in real life. You can protect your house with extra locks, motion detectors, a sophisticated security system, and a lot of other security measures, but if someone wants to break in they will still break in. However, the common thief will fail and it will take more a more sophisticated criminal to get past the extra layers of security. The ROI for such an endeavor has to be worth the additional effort and most people will simply shy away and pick easier targets (aka somebody else’s house). The same strategy applies to your website (or mine for that matter).
The attackers mentioned above are running dictionary attacks against WordPress. They use common knowledge that the default user ID for most installation is called “admin” and they know that too many people are not using complex passwords, but passwords based on words found in common dictionaries. They combine the “admin” user account with easy to guess passwords and then run their sophisticated attacks from over 100,00 hijacked computers so that it is almost impossible to block these attacks based on where they come from.
So, when I wrote my tutorial on how you can secure your WordPress installation with just a few simple steps I did look at my website statistics and posted a screenshot to show the number of attacks. After just 2 days my website had recorded over 4,500 attacks. A day later I took another look and the number had more than doubled. Over 10,000 dictionary based attacks in roughly 3-4 days – that is quite a bit. For one if I would have used an easy to guess password my website would have been open for the attacker, but secondly these attacks also add load to my web server. Load means that the website slows down and makes the visitor experience less pleasant. The load issue is secondary, but still important.
Here is an article by Forbes magazine that describes the same situation I am talking about. They mention 90,000 IP addresses, while I have seen other reports mentioning over 100,000 IP addresses. At that level it does not matter. But when even the mainstream media starts writing about it, the issue should not be ignored. The article at Forbes shows a few steps on how to secure your website and it is a good start, but do not stop there. It pays off to go the extra mile when it comes to security.