So, what is a Brute Force Attack?
Brute Force Attacks are probably the most common forms of attack on a WordPress website. In fact it is highly likely that your WordPress website is being attacked right now!
Brute Force attacks have been around a long time and in principle is a pretty simple method of gaining entry to your website. The method is to simply guess your username and password by creating hundreds of guesses.
You may think that how could they possibly guess my password, however in general people are really bad at ensuring their username and password are strong. People still use ‘admin’ (the default username provided when you install WordPress) for their username and unbelievably some even use ‘password’ as their password. It is highly probable that the hacker would get straight in with this one.
Within a WordPress site the most common access file for Brute Force attacks occurs through the /wp-admin/wp-login.php file.
Hackers use a dictionary of common passwords from for example SkullSecurity which contains more than 60mb of passwords. Most attacks try literally thousands at a time.
Password guessing protection
Firstly ensure your username and password are strong. If you have the most up to date WordPress Installation you will have a strong password generator. If you dont you should have, update it now.
See our Simple WordPress Security Checklist for more advice and some password storage software to help you remember them.
This where the hacker concentrates on sub folders of your root. They are looking for outdated versions and insecure software on your server that they can exploit.
They concentrate on /phpmyadmin (or /phpmyadmin-versionnumber) and /wordpress/
It goes without saying that your WordPress core files should be in the root and not in a subfolder called /wordpress/, what could be a better invitation.
Directory guessing protection
When the hacker tries to access folders that are not there, the server will generate a 404 page not found error. This will be recorded in the server error log. When viewing the error log you will see multiple error entries along with the IP address that is causing them. You simply need to block this IP address.
Brute Force Attack Summary
In short pay attention to making your username and password strong and harden up your sub folders if you can.
All our clients are protected against Brute Force Attacks, if you would like to be protected then you can subscribe to our WordPress Security Pro service.