One of the easiest ways to attack a web site is to gain entry through a content management system, such as WordPress. To do this, hackers try to force a login to a site’s WordPress installation using frequently used passwords. These sorts of attacks are known as brute-force attacks.


The rise of wide-scale Brute-force attacks


Most sites have developed countermeasures that limit the number of logins, so hackers have developed different kinds of brute-force attacks. Instead of launching millions of login attempts on a single site, they now use limited login attempts on millions of different web sites.



These sorts of wide-scale brute force attacks take advantage of the fact that users often make multiple login attempts when they forget or misspell their passwords. It’s difficult to distinguish these occurrences from hacking attempts, so administrators “leave the door open,” so to speak. If they block access after a few failed login attempts, they risk shutting out legitimate users.

When a wide-scale brute-force attack on a WordPress account succeeds, an attacker can often modify a theme to inject backdoor code, as shown here:


pasted image 0 (9)-1


Wide-scale attacks are a growing problem


The Imunify360 product team looked at over 2000 WordPress domains that were attacked on April 22, 2020, and made these conclusions and projections:


pasted image 0 (10)-1

What we found was that:

  • The top 10,000 frequently used passwords were used in half of the login attempts.
  • On average, an attacker will need to try 64 domains, with 14 login attempts on each, to discover an account with a weak password.
  • Weak passwords were used for around 10% of successful login attempts. This means that sites with weak user passwords either can be hacked, or they already have been.

Basically, our analysis showed that weak user passwords in WordPress are like a multiple-lane highway that hackers can travel to gain control of web sites.


Imunify360 protects against wide-scale attacks


The latest version of Imunify360, version 4.7, is designed to block wide-scale brute-force attacks. It does this by checking passwords used on login attempts against a list of well-known weak passwords. If a login attempt uses one of these passwords, the user is redirected to a page that prompts him to change his password:


pasted image 0 (18)

When the user clicks the “Reset password” button, he’s taken to the WordPress password reset page. It doesn’t break any kind of WordPress functionality, as the password reset procedure does not require a user to be logged in.


Enabling protection against wide-scale attacks


In Imunify360 version 4.7, this WordPress login protection feature is disabled by default. But enabling it is easy. To do that, just:

1. Navigate to the settings page, and click the General tab.

pasted image 0 (19)

2. Scroll to WAF settings.

3. Enable the “WordPress Account Compromise Prevention” option.

pasted image 0 (20)

From the CLI, this feature can be enabled with the following command:

imunify360-agent config update '{"MOD_SEC": {"cms_account_compromise_prevention": true}}'


Disabling the WordPress protection feature

If you’d like to disable this feature for one or multiple domains, you can do that in the UI by disabling rule 33355:


pasted image 0 (21)


Or, you can disable it with the CLI command:

imunify360-agent rules disable --name "Disable cms_account_compromise_prevention" --id 33355 --plugin modsec --domains ""

Telegram: @licenseflare | if have any question just contact Us and ask it | daily discount code : Show On Telegram Channel