Brute force attacks of this type are nothing new. They occur when automated botnets try to gain unauthorised access to a website through trial and error. It's a numbers game - the bots bombard the website trying to guess the username and password until they find the right combination.
As WordPress web designers, we previously secured the websites we design using the Limit Login Attempts WordPress plugin. This is good at thwarting certain brute force attempts as it locks out any IP address that repeatedly tries to enter a website with the wrong credentials. In this case however, such plugins will be of limited use due to the sheer number of IP addresses (i.e. compromised computers in the botnet) that are being used for the attacks.
Another problem is that even if you lockout an IP address using a plugin, the bots can still access the login page and submit another login attempt. The attempt will fail as they are locked out, but a request is still made to the server, utilising resources and bandwidth. Although each attempt won't use much resources, multiply this up to dozens of attempts per minute or even per second, and you could find your website slowing down significantly or even crashing the web server altogether.
In light of this, here are few simple steps that any WordPress website owner can take to protect against a brute force attack. Step 3 in particular will be helpful to address the resource/bandwidth issue:
1. Change the admin username
Most WordPress website owners still use 'admin' as their username. This is a bad idea because it makes it really easy for hackers to guess your username.
The problem is easy to fix:
- Create a new administrator-level user account with a more unusual username that hackers won't guess (Users > New in the WordPress admin).
- Login using this new account and delete the old 'admin' account. Click the button to attribute all the admin posts and comments to your new username.
2. Make your password secure
Use a secure password for your WordPress admin user account. Use the random password generator to create a super-secure password, or use several common but unrelated words joined together that you can easily remember. Update your password via the Users link in the WordPress admin.
3. Install the Stealth Login Page WordPress plugin
Most WordPress websites have a standard login URL that hackers can guess such as barn2.com/wp-login.php. Stealth Login Page creates a unique login URL that makes it unlikely that bots will find the login page at all - let alone launch a brute force attack against it.
4. Install the Wordfence Security WordPress plugin
And for one final security measure, install Wordfence Security. This is much more sophisticated than Limit Login Attempts and has many more features including:
- Locks out brute force hacks
- Firewall to block common security threats
- Advanced IP and Domain WHOIS to report malicious IP's or networks and block entire networks using the firewall
- See how files have changed. Optionally repair changed files that are security threats
- Scans for many known malware variants, loopholes, suspicious code and other security issues
- Blocks security threats such as aggressive crawlers, scrapers and bots
- Monitors disk space which is related to security because many DDoS attacks attempt to consume all disk space to create denial of service.
As Wordfence includes login protection, you wouldn't need the Limit Login Attempts plugin as well. However, the same limitation applies to this as mentioned above given the number of IP addresses used in this most recent attack. However, Wordfence offers a range of additional security measures as well as helping you to detect whether your site has already been hacked, so used in conjunction with steps 1-3 described above it's definitely worth having.