jump to navigation

Protecting WordPress from Brute Force Attacks July 11, 2011

Posted by Tournas Dimitrios in Wordpress - 3.

Default WordPress installation is vulnerable to brute force and dictionary attacks , because there is no limit how many times user can use invalid password before finding the correct one . Although I’m trying to   convince my customers to use very long / strong password (  with numbers, capitalized letters, etc. ) , at the end , they almost prefer to configure an easy to remember password because it’s convenient  #!&$$$!!! .

A brute force attack is to try every possible password until login is successful in a very short time period . Plethora of scripts are available to automate the process and weak passwords can be hacked in just  a few minutes !!!! . I know a couple very efficient scripts , I’m sure they are also known to script kiddies .
To make the hacking process even more efficient , password libraries in many languages are available . These libraries contain millions of words and are used by scripts to implement dictionary attacks .

A professional web-developer can’t just relay on the ” good will ” of his customers . He must implement an extra layer of protection that works behind the scenes . The WordPress community has developed many efficient plugins to protect your installation from failed login attempts . This article will present four of these plugins .

  • Login LockDown :  This plugin has over hundred thousand downloads , records the IP address and timestamp of every failed login attempt . If more than a certain number of attempts are detected within a short period of time from the same IP range, then the login function is disabled for all requests from that range. This helps to prevent brute force password
  • User Locker : This plugin has over twenty-five thousand downloads , when someone exceeds predefined number of login attempts , his/her account becomes locked, and can be unlocked only by requesting new password (using Lost Password option) or asking Admin for help . You can also disable selected user accounts, so users will not be able to log in even if they will know password. You can use this feature to ban selected users.
  • Limit Login Attempts : This plugin has over seventy thousand downloads , limit the number of login attempts possible both through normal login as well as using auth cookies and optionally send an email notification . Informs user about remaining retry’s or lockout time on login page .
  • Secure WordPress :  This plugin has four-hundred thousand downloads , beefs up the security of your WordPress installation by removing error information on login pages, adds index.html to plugin directories, hides the WordPress version and much more .

And last but not least , as a last line of defense you should always make sure to regularly backup your WordPress installation in multiple locations ( read my article )  . I know posts like this seem like nagging or a waste of time but the first time your blog is hacked you’ll be kicking yourself for not taking action .

Related articles : 


No comments yet — be the first.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s