One of the easiest ways to attack a web site is to gain entry through a content management system, such as WordPress. To do this, hackers try to force a login to a site’s WordPress installation using frequently used passwords. These sorts of attacks are known as brute-force attacks. Additionally, read our website hosting security and WordPress Security article and learn how to keep your website secure.
Most sites have developed countermeasures that limit the number of logins, so hackers have developed different kinds of brute-force attacks. Instead of launching millions of login attempts on a single site, they now use limited login attempts on millions of different web sites.
These sorts of wide-scale brute force attacks take advantage of the fact that users often make multiple login attempts when they forget or misspell their passwords. It’s difficult to distinguish these occurrences from hacking attempts, so administrators “leave the door open,” so to speak. If they block access after a few failed login attempts, they risk shutting out legitimate users.
When a wide-scale brute-force attack on a WordPress account succeeds, an attacker can often modify a theme to inject backdoor code, as shown here:
The Imunify360 product team looked at over 2000 WordPress domains that were attacked on April 22, 2020, and made these conclusions and projections:
What we found was that:
Basically, our analysis showed that weak user passwords in WordPress are like a multiple-lane highway that hackers can travel to gain control of web sites.
The latest version of Imunify360, version 4.7, is designed to block wide-scale brute-force attacks. It does this by checking passwords used on login attempts against a list of well-known weak passwords. If a login attempt uses one of these passwords, the user is redirected to a page that prompts him to change his password:
When the user clicks the “Reset password” button, he’s taken to the WordPress password reset page. It doesn’t break any kind of WordPress functionality, as the password reset procedure does not require a user to be logged in.
In Imunify360 version 4.7, this WordPress login protection feature is disabled by default. But enabling it is easy. To do that, just:
1. Navigate to the settings page, and click the General tab.
2. Scroll to WAF settings.
3. Enable the “WordPress Account Compromise Prevention” option.
From the CLI, this feature can be enabled with the following command:
imunify360-agent config update '{"MOD_SEC": {"cms_account_compromise_prevention": true}}'
If you’d like to disable this feature for one or multiple domains, you can do that in the UI by disabling rule 33355:
Or, you can disable it with the CLI command:
imunify360-agent rules disable --name "Disable cms_account_compromise_prevention" --id 33355 --plugin modsec --domains "example.org"
The Imunify product team would like to hear from you. To share your ideas and observations on this WordPress login protection feature, please send them to us at feedback@cloudlinux.com.
If you have questions on how to use Imunify360, or you’d like to resolve a support issue, please contact the Imunify support team at cloudlinux.zendesk.com.
Imunify360 is a comprehensive six-layers web server security with feature management. Antivirus firewall, WAF, PHP, Security Layer, Patch Management, Domain Reputation with easy UI and advanced automation. Try free to make your websites and server secure now.