WordPress Sites Exploited Through Brute Force: 3 Simple Ways to Protect Yourself from the Attack
During the past week we noticed an abnormal increase of brute force attacks targeting WordPress applications.
The attacks use automated scripts that attempt to login to WordPress default admin page using common usernames and passwords.
The brute force attacks originate from a large number of sources consisting of both legitimate web servers and private home computers. Several reports have been published which have positively identified almost 90,000 attacking sources.
Once a username and password is successfully guessed by the attacking script, it uses the gained admin credentials to upload a malicious script to the compromised server.
While many of the brute force attempts were unsuccessful in guessing the admin credentials, the high volume of the attacks has caused excessive resource utilization to the servers hosting the WordPress applications, resulting in unresponsiveness to legitimate users for the duration of the attack.
Mitigation Recommendation
In order to mitigate the attack, WordPress servers are encouraged to use the following preventive measures:
- Enable WordPress’ ‘Two Step Authentication’.
- Hardening security of WordPress configurations.
- Choose a complex and non-common password.
Our ERT team confirmed 2 additional protection methods that may effectively mitigate the attacks. Since the attacks use common wordlists to perform the brute force, one method is to use JavaScript Web Challenges. This method has been proven to be successful in dropping the automated brute force tools while allowing legitimate JavaScript compliant clients to access the site. (Note that it is important to verify that legitimate clients support JavaScript in order to prevent false positives).
The second is to use an abnormal applicative behavior detection appliance that secures Web applications. This can block these brute force attacks by detecting multiple unsuccessful login attempts to the WordPress login page originating from the same source in a short time period. The malicious sources can then be suspended or blocked for configurable timeframes.
Additionally, in scenarios where shared IP`s are used (i.e proxy servers), a Throttling policy can also be applied in order to allow legitimate users to access the login page while effectively blocking malicious requests originating from that same IP address.