I’ve noticed a surge in malicious login attempts on WordPress sites this spring (2015), and so I thought today we’d take a look at what those are, how they negatively effect your site, and how to protect yourself.
If you’re running Jetpack by automattic, you’ll have a panel on your dashboard that shows the number of malicious login attempts, like the image below.
Brute force attacks
Those malicious login attempts on your WordPress site are typically what is known as “Brute Force Attacks.” They are fairly simple, either users or, more commonly, software has identified your site and is trying usernames and passwords to break in. WordPress is kind of a common target as their are just so many WordPress sites out there. Some hackers setup bots to scan the web for WordPress login pages, and then they attack all those pages using software that tries usernames and passwords.
Jetpack has had Brute Force Protection since Jetpack 3.4 in March 2015. They actually acquired the company BruteProtect in order to add that functionality. According to WP Tavern:
As of February 2015, the BruteProtect plugin has defended over 225,000 sites from more than 350 million botnet attacks.
I’m not really sure why there are more of these malicious login attempts happening lately. I would guess that it is just a result of their being more people with the skills and tools to do such things and there is wider availability of software to carry out such attacks. You can actually just do a Google search and find software to carry out these attacks, so anybody with a computer and the internet really could do it. I’ve noticed a lot of these attacks seem to be from Russia, Pakistan, and India.
How these attacks can damage your site
When this is software or code trying to break in, you’ll notice spikes in memory usage and your site might get slower. You of course want your site to be as fast as possible both for users and because Google uses that as a ranking factor, and if you use up too much memory your site will crash altogether, depending on your host and possible memory limits. If you are on shared hosting, even though you likely have unlimited memory, your site will eventually crash as it just doesn’t have enough resources attributed to it to keep it up.
If the hackers actually gain access to your site, you could be in big trouble, especially if the account they get is an admin account or one with privileges beyond what normal users can do. They could get usernames, passwords, payment info, put in false data, or take your site apart. If this does happen, which it never should, it could really be a disaster.
How to prevent these attacks from harming you
Luckily, there are a plethora of WordPress security and login plugins out there to help secure your site. WordPress itself does a good job, as seen by that screenshot at the top of this post. You do need to be sure to update your site when new updates are available, as these often fix known security issues. If WordPress knows about a security issue, so do the hackers. Don’t make it easy for them by not updating your site.
I also like to use WordFence security or Brute Force Login protection to add extra protection. This includes protecting the htc access file and also limiting login attempts. You can also ban IP addresses or only allow your IP address.
Another way to protect yourself, and perhaps the most important way to do so, is simply to not make it easy for the hackers. Pick a good username and especially password. You’ll want to move away from the default “admin” username. For your password, use something random that is at least 8, and ideally 12 characters long. Don’t use actual words in your password. Instead make it random letters, numbers, and characters.
A bad password could be something like “ILoveDogs123!” but something like I1!od2Levgo3 would be good. Notice the difference? One is 12 characters but includes 3 actual words, 3 numbers in a row, and the exclamation point at the end is a common thing people do. The second password is actually the same 12 characters, but randomized.