When logging in to a WordPress site, users supply a username and password that WordPress associates with their account. If an attacker can guess the right username and password, they can authenticate in the same way. The process of guessing is called a brute force attack: the attacker tries different combinations of usernames and passwords until they discover one that works.
Brute force attacks are effective when WordPress users choose usernames and passwords that are easy to guess. Criminals use automated botnets — which are usually made up of compromised WordPress sites — to make thousands of login attempts with different credentials.
Towards the end of December, WordFence wrote about the largest brute force campaign they had ever seen. An attacker was attempting to brute force access to thousands of WordPress sites. Once they had access to the site, the attacker installed malware which had two tasks: to compromise more WordPress sites and to run the crypto mining software.
Cryptomining software hijacks the resources of a server to mine cryptocurrency. Cryptocurrencies like Bitcoin and Litecoin are generated by carrying out the computationally intensive math. Cryptomalware uses the resources of compromised machines to do the work of generating coins. In this case, Monero, a cryptocurrency that can be mined with CPUs rather than GPUs, is being generated. According to WordFence, the campaign has created well over $100,000 for the attacker.
Victims of the campaign have their sites compromised and their server resources used to generate coins rather than serving the site. Because the malware also carries out attacks on other sites, there’s a strong chance of infected sites being blacklisted by security companies and browser developers.
Protecting WordPress sites against brute force attacks is straightforward. It’s only possible to guess usernames and passwords if they are simple and if the WordPress site lets an attacker make lots of login attempts.
Use Complex Passwords
The obvious solution is to insist on complex passwords that are difficult to guess. A long, random password takes much longer to guess than a short dictionary word. A random password of 16 or more characters might take millions of years to guess. A short dictionary password like “password” can be guessed in less than a second.
Use Two-Factor Authentication
I advise WordPress site owners not to rely on users to create secure passwords: people tend to choose convenience over security. Installing a two-factor authentication plugin on your WordPress site removes the risk of brute force attacks without relying on users to do the right thing.
There are many TFA plugins available for WordPress. Two Factor Authentication is among the most popular.
Limit Login Attempts
To find the right username and password combinations, attackers have to make a lot of guesses. By limiting the number of login attempts that can be made from an IP address, site owners reduce the likelihood that the attacker will ever guess the right combination.
WP Limit Login Attempts can temporarily block IPs if they make too many login attempts and display CAPTCHA tests to suspected bots.
In 2018, we expect to see more attackers taking advantage of crypto mining malware as cryptocurrencies rise in value. By following the steps we outline here, WordPress site owners can prevent their sites from being used to make money for criminals.