<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-5HLVVHN" height="0" width="0" style="display:none;visibility:hidden">

Blocking Brute Force Attacks On WordPress

Apr 30, 2020 7:12:23 PM / by Dmitry Tkachuk

 

wordpress3

One of the easiest ways to attack a web site is to gain entry through a content management system, such as WordPress. To do this, hackers try to force a login to a site’s WordPress installation using frequently used passwords. These sorts of attacks are known as brute-force attacks. 

 

The rise of wide-scale Brute-force attacks

 

Most sites have developed countermeasures that limit the number of logins, so hackers have developed different kinds of brute-force attacks. Instead of launching millions of login attempts on a single site, they now use limited login attempts on millions of different web sites. 

path

 

These sorts of wide-scale bruteforce attacks take advantage of the fact that users often make multiple login attempts when they forget or misspell their passwords. It’s difficult to distinguish these occurrences from hacking attempts, so administrators “leave the door open,” so to speak. If they block access after a few failed login attempts, they risk shutting out legitimate users. 

When a wide-scale brute-force attack on a WordPress account succeeds, an attacker can often modify a theme to inject backdoor code, as shown here: 

 

pasted image 0 (9)-1

 

Wide-scale attacks are a growing problem

 

The Imunify360 product team looked at over 2000 WordPress domains that were attacked on April 22, 2020, and made these conclusions and projections: 

 

pasted image 0 (10)-1

What we found was that: 

  • The top 10,000 frequently used passwords were used in half of the login attempts.
  • On average, an attacker will need to try 64 domains, with 14 login attempts on each, to discover an account with a weak password.
  • Weak passwords were used for around 10% of successful login attempts. This means that sites with weak user passwords either can be hacked, or they already have been. 

Basically, our analysis showed that weak user passwords in WordPress are like a multiple-lane highway that hackers can travel to gain control of web sites. 

 

Imunify360 protects against wide-scale attacks

 

The latest version of Imunify360, version 4.7, is designed to block wide-scale brute-force attacks. It does this by checking passwords used on login attempts against a list of well-known weak passwords. If a login attempt uses one of these passwords, the user is redirected to a page that prompts him to change his password: 

 

pasted image 0 (18)

When the user clicks the “Reset password” button, he’s taken to the WordPress password reset page. It doesn’t break any kind of WordPress functionality, as the password reset procedure does not require a user to be logged in.

 

Enabling protection against wide-scale attacks

 

In Imunify360 version 4.7, this WordPress login protection feature is disabled by default. But enabling it is easy. To do that, just: 

      1. Navigate to the settings page, and click the General tab.

pasted image 0 (19)

      2. Scroll to WAF settings. 

      3. Enable the “WordPress Account Compromise Prevention” option. 

pasted image 0 (20)

From the CLI, this feature can be enabled with the following command:

imunify360-agent config update '{"MOD_SEC": {"cms_account_compromise_prevention": true}}'

 

Disabling the WordPress protection feature


If you’d like to disable this feature for one or multiple domains, you can do that in the UI by disabling rule 33355: 

 

pasted image 0 (21)

 

Or, you can disable it with the CLI command:

imunify360-agent rules disable --name "Disable cms_account_compromise_prevention" --id 33355 --plugin modsec --domains "example.org"

 

Please Share Your Feedback

 

The Imunify product team would like to hear from you. To share your ideas and observations on this WordPress login protection feature, please send them to us at feedback@cloudlinux.com.

If you have questions on how to use Imunify360, or you’d like to resolve a support issue, please contact the Imunify support team at cloudlinux.zendesk.com.

 

Topics: Imunify360, Advice, Analytics

Dmitry Tkachuk

Written by Dmitry Tkachuk

Imunify Security, Product Manager

    Subscribe to Email Updates

    Ready to try Imunify?

    30-DAY TRIAL

    Recent Posts