The WordPress Brute Force Attack. Is your website vulnerable?

No Comments

Yesterday (18 December 2017), Mark Maunder posted an important security warning for Webmasters of WordPress sites. From what we have seen already, the risks are sizeable and should not be underestimated. If your site is built on WordPress, please read on.  It might just save your business…

A new attack On WordPress websites

A massive distributed ‘Brute Force’ attack targeting WordPress sites started yesterday morning. The attack is extremely broad in that it uses a large number of attacking IP addresses. What is more, each of these IP addresses is generating a huge number of attacks. This is the most aggressive campaign we have seen here at Onvigil, peaking at over 14 Million attacks per hour!


What is a Brute Force attack?

A brute force attack is a trial-and-error method used to obtain information such as a user password or personal identification number (PIN). In a brute force attack, extremely sophisticated automated software is used to generate a huge number of consecutive guesses as to the value of the desired information. Brute force attacks may be used by criminals to crack encrypted data, or by security analysts to test an organisation’s network security. A brute force attack is also known as brute force cracking or simply ‘brute force’.

What do we know so far?

  • The attack has so far peaked at 14.1 million attacks per hour
  • The total number of IPs involved at this time is over 10,000
  • We are seeing up to 190,000 WordPress sites targeted per hour
  • This is the most aggressive campaign we have ever seen by hourly attack volume

The campaign continues to ramp up in volume as every hour passes. The graph above highlights the severity of the attack. So far, nobody has been able to locate the origin of the attack or who is behind it.

However, we do know that on the 5th of December, a massive database of hacked credentials emerged which contained over 1.4 billion username/password pairings. Rather worryingly, approximately 14% of the database contains credentials that have not been seen before. The database is also searchable and easy to use.


How to protect yourself

This is the highest volume ‘brute force’ attack we have seen to date. Given that it may also be using the high authority credentials that were provided in the database hack on December 5th, this attack may achieve a much higher success rate. As a first step, we suggest that you follow all the steps detailed below:

  • Ensure that you have strong passwords on all user accounts, especially admin accounts
  • Change your admin username from the default ‘admin’ to something harder to guess
  • Delete any unused accounts, especially admin accounts that you don’t use. Reduce your attack surface!
  • Enable two-factor authentication on all admin accounts
  • Enable an IP blacklist to block IPs that are engaged in this attack
  • Monitor login attempts by configuring alerts when an admin signs into your website
  • Do not reuse a password on multiple services. That way if you have a password from a data breach in the new hacked database, it won’t be the same as your WordPress admin password
  • Use a password manager like LastPass to manage many passwords across services

As one of the UK’s leading online marketing agencies that specialises in WordPress optimisation, Onvigil is here to help you protect your website from unwanted attacks. Should you have any questions or need assistance, we’d be very happy to help. Call us today on 01730 77 66 33.

About us 

As our name suggests, we exist to keep a watchful eye over your online real-estate. Onvigil is a leading UK based digital agency, serving organisations in London, Hampshire, Surrey and Sussex.

Request a free quote

We offer professional SEO services that help websites increase organic search visibility and compete for page one rankings for highly competitive keywords.

More from our blog

See all posts

Leave a Comment

Time limit is exhausted. Please reload CAPTCHA.

I accept the Privacy Policy