Brute Force Attacks on WordPress sites

Brute force login attacks on WordPress sites seem to be increasing. What I have noticed is that the number of IP numbers being used as an attacking forces seem to have grown in number and intensity.

I look after a number of websites and occasionally I will get a stream of warnings if there is a surge in login traffic. Especially is the “users” typically bots are trying to login as “admin” user I have an automatic block on that user.

In addition any sites that I manage will have had that user deleted if it was ever setup and various other security safeguards set up in place to minimise such activity. There are other safeguards that can be used such as firewalls and cloud proxy services.

Generally all servers running WordPress should be security hardened against suspicious traffic and have a number of security safeguards in place. Stopping Brute Force Attacks

The human side of security is often neglected but setting up and continuing to use complex passwords helps prevent against login attacks.

A ‘brute force’ login attack is a type of attack against a website to gain access to the site by guessing the username and password, over and over again. Other kinds of hacks rely on website vulnerabilities whereas a brute force attack is a simple hit and miss method and can be tried on any site.

From Preventing Brute Force Attacks Against WordPress Websites which has other useful details on managing against this type of attack.

See also Protecting Against WordPress Brute-Force Attacks

So far, so good. I find when there are security topic discussions there are always a certain numner of people whose eyes glaze over and they think it is all too abstract and would never happen to their site. If this is not your thing but you have a WordPress site then ask a web developer or security person for help.

Below is an actual screenshot of a log of actual attacks on a real website that happened earlier today. Hopefully this will help to make the threat just a little less abstract but yes its a list of numbers so maybe not?

Brute force login attacks

A number of points to note from this log snippet. It shows 8 different attempted logins from 8 separate IP numbers around the world in the space of 3 minutes. It is only part of a much longer sequence that ran for several hours and included traffic from these locations:

Spain, Tunisia, Mexico, Thailand, Romania, Portugal, UK, Japan, Bulgaria, Lithuania, UK, France, Italy, Hungary, NZ, South Korea, Hungary, UK, Jamaica, Bangladesh, India, Columbia, Egypt, Croatia, Brazil, Phillipines, Cyprus, South Africa, Argentina, Netherlands, Slovenia, Algeria, Switzerland, Israel, Canada, US, Tanzania, Cambodia.

It is possible to trace each IP number but very little can be done. What interested me in the current logs is that I saw  some use of IP numbers from Australia and New Zealand. I can easily see who the ISP host is and general location details and so on.

I’m hoping that I can communicate with the ISP and user for the NZ attack host. Almost certainly the owner of that computer does not know his/her system is being used for brute force attacks.

Most of the time it is practically impossible to  do any more than block the IP numbers of known bots but since one of the bots is in NZ it may be possible to fix.