One of the easiest ways to attack a web site is to gain entry through a content management system, such as WordPress. To do this, hackers try to force a login to a site’s WordPress installation using frequently used passwords. These sorts of attacks are known as brute-force attacks.
The rise of wide-scale Brute-force attacks
Most sites have developed countermeasures that limit the number of logins, so hackers have developed different kinds of brute-force attacks. Instead of launching millions of login attempts on a single site, they now use limited login attempts on millions of different web sites.
These sorts of wide-scale brute force attacks take advantage of the fact that users often make multiple login attempts when they forget or misspell their passwords. It’s difficult to distinguish these occurrences from hacking attempts, so administrators “leave the door open,” so to speak. If they block access after a few failed login attempts, they risk shutting out legitimate users.
When a wide-scale brute-force attack on a WordPress account succeeds, an attacker can often modify a theme to inject backdoor code, as shown here:
Wide-scale attacks are a growing problem
The Imunify360 product team looked at over 2000 WordPress domains that were attacked on April 22, 2020, and made these conclusions and projections:
What we found was that:
- The top 10,000 frequently used passwords were used in half of the login attempts.
- On average, an attacker will need to try 64 domains, with 14 login attempts on each, to discover an account with a weak password.
- Weak passwords were used for around 10% of successful login attempts. This means that sites with weak user passwords either can be hacked, or they already have been.
Basically, our analysis showed that weak user passwords in WordPress are like a multiple-lane highway that hackers can travel to gain control of web sites.
Imunify360 protects against wide-scale attacks
The latest version of Imunify360, version 4.7, is designed to block wide-scale brute-force attacks. It does this by checking passwords used on login attempts against a list of well-known weak passwords. If a login attempt uses one of these passwords, the user is redirected to a page that prompts him to change his password:
When the user clicks the “Reset password” button, he’s taken to the WordPress password reset page. It doesn’t break any kind of WordPress functionality, as the password reset procedure does not require a user to be logged in.
Enabling protection against wide-scale attacks
In Imunify360 version 4.7, this WordPress login protection feature is disabled by default. But enabling it is easy. To do that, just:
1. Navigate to the settings page, and click the General tab.
2. Scroll to WAF settings.
3. Enable the “WordPress Account Compromise Prevention” option.
From the CLI, this feature can be enabled with the following command:
imunify360-agent config update '{"MOD_SEC": {"cms_account_compromise_prevention": true}}'
Disabling the WordPress protection feature
If you’d like to disable this feature for one or multiple domains, you can do that in the UI by disabling rule 33355:
Or, you can disable it with the CLI command:
imunify360-agent rules disable --name "Disable cms_account_compromise_prevention" --id 33355 --plugin modsec --domains "example.org"
Recent Comments