Frequent brute force attacks, should I be worried?
-
I manage several small WordPress sites, none of which really get more than 200 impressions per day. I’m basically the only one who logs into them to do updates.
I installed WP Security on these sites to lock them down, and it keeps emailing me about all the brute force attacks they get on a daily basis. Now, I’m relatively inexperienced with WordPress, so is this just a normal thing? To get bots trying to login to random accounts, sometimes knowing some of the usernames in the system, every single day?
For example, one of my sites kept getting login attempts for “admin” and “test”, and even attempts at the CEO’s username. This was a daily occurrence, so I locked down the system even more and just turned off the email notifications.
Now I have a newer WordPress site where some bots tried brute forcing my account and it locked me out overnight. Again, is this a normal thing? Or should I do more to secure my sites? Any advice would be appreciated.
-
Hey there,
Brute force attacks are one of the most common and widespread attacking mechanisms used for gaining illegal access to websites online. Brute force attacks are usually carried out by large botnets or bot farms trying to login into your WordPress site as a regular user. ‘Admin’ is the very first word it usually uses to find your username. If that doesn’t work, it keeps trying out for the most commonly used usernames.
Once it gets the username right, it will start decoding your password using dictionary words and random strings based on a pre-set algorithm by the cracker/tester.
You needn’t worry much if you’ve set a strong username/password combination for your site. Moreover, to protect your site from brute force attacks, you can use a simple yet efficient plugin like Jetpack. Click here to learn more about Jetpack’s security features.
Hope that helps.
-
Thanks, I kind of figured that was the case. I added the Invisible reCaptcha plugin as well, so we’ll see how that handles things. Just wanted to hear that this was a common issue.
-
That’s great. Good steps you have taken to protect the sites from getting hammered by bots looking for vulnerabilities.
-
Welp, that didn’t work. Even with the reCaptcha, I’m still getting lockout notifications, though less. For anyone else interested, these are the steps I’ve taken:
- Installed and configured All in One WP Security & Firewall plugin
- Have that automatically lockout usernames like admin, test, (domainname.com), ((email visible only to moderators and staff))
- Installed Two Factor Authentication plugin and started using Google Authenticator for my account
- Installed Invisible reCaptcha plugin (conflicts with Two Factor plugin!),
but for whatever reason, that hasn’t seemed to stop the brute force attempts. - Installed the Disable Users plugin to disable all accounts that don’t need to be logging in.
So I’ll just run with that and see how it goes. Thanks!
-
Hey there,
I use Jetpack to block brute-force attacks on my site and iThemes Security to harden WordPress on all my WordPress-powered sites and found them to be working efficiently and doesn’t cause any conflicts.
By the way, this forum is for sites hosted on WordPress.com, not for the self-hosted version of WordPress (the one we are speaking about). More info on what’s different – https://en.support.wordpress.com/com-vs-org/
Just in case you need more help, you should be able to get it from WordPress.org support forums.
Hope that helps.
- The topic ‘Frequent brute force attacks, should I be worried?’ is closed to new replies.
WordPress.com Forums 