The Wild West of Bots and Brute Forces

The key to success is starting with a solid foundation. When it comes to succeeding at security, passwords are part of the foundation. Failure to choose a good password will equate to failure in security eventually– if not almost immediately.

In the WordPress sphere of security, brute force attempts at account passwords by attackers is a clear and present danger. The rate of these attempts we see, and every host sees, is staggering.

We see these attempts from bots at all times and take steps to prevent them from being successful where we can. Multiple layers of security to prevent these bots from being successful with their brute force attempts include:

  • Preventing customers from setting weak or insecure password from their wp-admin pages.
  • Rate limiting IP addresses that have too many failed logins too quickly.
  • Outright disallow attempts to log in to a site using common insecure password combinations, learned by monitoring the brute force bot activity.

To get some insight on this, using around a week’s worth of logs of wp-login attempts, millions of records, we found our firewalls and security mechanisms were blocking the majority of the requests. At least one-third of the time, our rate limiter was blocking IP addresses from making any further attempts.

The most targeted account name was: admin (this is no surprise) followed distantly by administrator and user, after these though it is clear the remainder of attempts were targeting site-specific account names. While changing the admin username to something else doesn’t hurt, it’s important to know it is not a solid plan for security sake as your site’s usernames can still be guessed/enumerated. Having a strong password on your admin account by any name is the key to security success.

What can we learn?

Choosing strong passwords as a preventative measure for site security is critically important.
Hidden or secret accounts are not a substitute for choosing a secure password.

Extra Credit: Two Factor Authentication

Two Factor Authentication, also known as 2FA and sometimes called multi-factor authentication– for clarity reasons I’ll address it as 2FA here.

A post talking about authentication and insecure passwords should always discuss 2FA. Consider adding a 2FA step to your WordPress login page. Adding this simply requires a secret token (typically accessed via an app on your smartphone) in addition to the account’s password to authenticate you are the account’s owner.

What value does this add aside from being a nuisance? Here’s why: I once set up a WordPress site as a honeypot to collect commonly used passwords by these brute force bots, I also had the audacity to leave the admin account named “admin” with a password of “password”. The admin account remained uncompromised through millions of attempts over the course of a year, all because I had enabled a 2FA plugin which required a time-based token along with that easily guessed password. Many attempts by bots would have gotten through if it was not for that 2FA plugin. In the end, when decommissioning the site I turned off the 2FA plugin just to see how long it would take to be compromised. Spoiler alert: it was compromised in less time than it took to watch a feature-length film.

There are many plugins that offer two-factor authentication they are simple and tend to be painless to set up and get running. If you want to take security that extra mile with your wp-admin, then for authentication, 2FA is the way to go. Pagely already gives you the option to enable 2FA on your hosting dashboard for enhanced security and strongly encourages that you do so. For a tutorial on how to do so see this support FAQ.