Security Warning: Increased Brute Force Login Attempts

There’s been a lot of noise in the Word­Press secu­ri­ty com­mu­ni­ty the last days about the increased XML-RPC attacks. Here at WPSOS we’ve noticed the same and can con­firm the var­i­ous reports on it.

How­ev­er, we’ve also noticed an increase in brute force login attempts. These are robot­ic algo­rithms that every x sec­onds guess a user­name (often ‘admin’ or just the user­name that post­ed a blog post) and then cycles through com­mon pass­words (“12345678”, “asdf1234”, etc) until it even­tu­al­ly gets a hit… or is banned.

Although Word­Press itself is tak­ing var­i­ous mea­sures to try to lim­it this — the lat­est ver­sion, for exam­ple, forces the cre­ation of sub­stan­tial­ly hard­er to guess pass­words — the hack­ers are often one step ahead.

The brute force attacks are get­ting increas­ing­ly bru­tal. We’d def­i­nite­ly rec­om­mend stronger mea­sures to pro­tect your login pages.

But what mea­sures in par­tic­u­lar?

Our two favorite meth­ods are:

  • Use the .htac­cess file to pro­tect the login pages
  • Change the URL of the login pages

This is in addi­tion to — obvi­ous­ly — the more basic anti-brute force pro­tec­tions that are essen­tial: long, com­plex, unique pass­words that you don’t write on paper or email or share open­ly with any­one and don’t re-use, for exam­ple.

But more on that com­mon sense in anoth­er post. As they say: com­mon sense isn’t that com­mon!