Distributed brute force attack on WordPress sites

We have  received notification from one of our security partners, Wordfence, that the largest distributed brute force attack they have seen has been underway since yesterday.

The real-time attack map on www.wordfence.com became so busy that Wordfence throttled the amount of traffic shows to 4% of actual activity yesterday. We note at 11:56am South Africa time that the map does not appear to be working at all. So it’s possible, although not confirmed, that they have needed to shut the map down as a result of too much data streaming into the system.

A brute force attack against a WordPress site describes a hacking attempt where the username and password for a user is tried over and over again until a match is found. That may seem like an onerous task, but it’s remote bots that try again and again, not people, and often from a pre-defined list of common passwords.

The good news is that we have taken steps to protect all our WordPress installations from brute force attacks. Even so, it’s always a good idea to ensure that your passwords are not common words, contain upper and lower case letters, numbers and special characters.

As it turns out, the single most commonly used security password is now “123456” – which unseated 2012’s most pointless security phrase “password”.

See the list of worst passwords for 2013 from SplashData:

Rank Password

1

123456

2

password

3

12345678

4

qwerty

5

abc123

6

123456789

7

111111

8

1234567

9

iloveyou

10

adobe123

11

123123

12

admin

13

1234567890

14

letmein

15

photoshop

16

1234

17

monkey

18

shadow

19

sunshine

20

12345

21

password1

22

princess

23

azerty

24

trustno1

25

000000

 

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *