Cyber Security Tip of the Month – Countering WordPress Brute Force Attacks

Wednesday, October 24, 2012
By: Angela Render

This month, we’re starting a series on current threats and things you can do to thwart them. This month’s focus is in response to a recent compromise of a WordPress site brought to us for clean-up. The client only discovered something was wrong when Google flagged the site as infected with malware.

Upon analysis of the incident, we discovered that the method of entry was brute force and that the admin’s password was weak. I’m not going to preach password strength or complexity this time. I sincerely hope you all know that by now. This month’s tip has to do with creating unique user names and being unpredictable.

It’s common with simple WordPress installations that the initial user name be “admin,” and most people never think to change that. From the perspective of a brute-force hack attempt, keeping an account under a predictable username like “admin” or “webmaster” creates a constant. All they have to do is run a script to try random passwords until they finally get in. Crude, but effective. This means that no matter how complex or long your password is, it’s only a matter of time before the automated script finds it and time isn’t a problem for a computer. Long, complex passwords are essential, don’t get me wrong, but there is more you can do to defend against brute force attempts.

In the case of WordPress, a simple program crawling the web will discover an installation—WordPress reports itself and many of its plug-ins leave signatures in predictable places. Many people keep the default theme. The interior functions are also predictable—widgets are widgets, the footer include is always footer.php, etc. This also creates the possibility for automation from the perspective of the hacker. It’s possible that a human being never even looked at my poor client’s site—never knew it existed, that they had compromised it, or that it was cleaned up.

So this month’s tip: If you’re running WordPress, log in and make sure there are no admin, administrator, webmaster, or other common user accounts. If there are, create an alternative with a nice, strong password and delete the common one. If you’re using one of the WordPress default themes, consider installing something else.

Look at the plug-in: Login Security Solution by Daniel Convissor to help combat brute force attacks, and if you get fed up, you can try iQ Block Country by Pascal or IP Filter by Hautclocq Gabriel to exclude countries where you know you won’t be doing business.

Definition of a Brute Force Attack
Despite the implications of the term, there’s a lot more elegance happening behind one of these than it might appear. Programs are created to seek out known vulnerabilities and keep hammering at them until they get in. There’s no targeting, or phishing, or crafting of human exploits here. It’s all in the programming. Brute force attacks rely on predictability and the strongest defense is to remove as much of that predictability as possible. This means changing every default setting you can without breaking the software.