It's no secret that WordPress is a popular target of malicious hackers. One of the least sophisticated attacks against a WordPress site is to brute-force the administrative login. This type of attack -- which is simply an attacker (or an attacker's bot) attempting to guess the admin password -- is simple but the ramifications of success are profound. Imagine what an attacker can do if they have complete control of your WordPress install. It's tempting to think that only large sites are targeted and that small sites have little to worry about. While it's true that a high traffic site may, for a number of reasons, make for a more tempting target as my test results show an attitude of security through obscurity is a mistake.
Back in March I started a simple test in order to qualify the threat a small WordPress powered site faces from this simple brute-force attack. Awaiting Inspiration has received an average of 174 visitors a day this year so it qualifies as small site and is a perfect test bed.
I disabled some of my security measures (that would have otherwise prevented the test from working) and setup the Limit Login Attempts plugin in order to monitor unauthorized login attempts. The Limit Login Attempts plugin allows you to set the number of times that an attempt can be made to login to WordPress from a given IP address. I configured the plugin to allow only one attempt per IP. The offending IP address was locked out for 48 hours which was used to give me time to add the offending IP address to a blacklist which prevented it from accessing any part of the site. This setup meant that subsequent attacks would have to come from a different IP address.
While a unique IP does not necessarily mean a unique attacker -- a single attacker can be behind multiple unique IPs -- for the purposes of this test I considered each uniquely logged IP address to be a separate and unique attack.
I started the test on March 18th and stopped it on July 21st. In that 126 day period there were 67 unique attempts to brute-force the WordPress login. That's nearly one unique attack per day.*
I used the DNSstuff IP information tool to get the location each attack originated from.
|COUNTRY||NUMBER OF ATTEMPTS|
Out of the 67 attempts all but one used the username admin or Admin. Admittedly, it sent a chill up my spine when an attempt was made using the username adam. The use of the username adam as opposed to the default admin indicates to me that this specific brute-force attempt was made by a person (as opposed to a bot) who gathered information from the site before they made their attempt.
The results of this little test show that even a small site is a target and that it would be a mistake to assume that obscurity equals security.
It's also a salient reminder that a strong password is an absolute must and that just username/password are probably not sufficient to secure the WordPress login. Additional steps need to be taken to ensure that it remains secure, those steps include but are not limited to:
- Use a non-standard and not easily guessed username(s)
- Restrict the loading of the WordPress login page to known IP addresses using .htaccess or other method.
- Employ multi-factor authentication like that offered by the Google Authenticator plugin.
- Employ WordPress Security Keys to ensure that logged in user cookies are encrypted as best possible.
Going into the specifics of how to configure these additional security options is beyond the scope of this post but information can easily be found at the linked pages or through a cursory Google search.
In the future it would be interesting to look into this deeper and see if more information can be gleamed as to what is attempting the login. I suspect that the majority of the attempts were automated bots but it would be interesting to attempt to get more details on this.
* Errata (10/11/2012) - This previously said "That’s nearly two unique attacks per day". I corrected it to reflect the proper math of 67 attempts out of 126 days.