WordPress is incredibly easy to manage, but it’s also easy to hack. You don’t even need to know how to hack to gain access to random WordPress sites Just perform a search for “download Word Press hack scripts” or “download SQL injection scripts for WordPress” and several results display. With enough searching, you can download and run a script that executes on any site and finds vulnerabilities.
One common method for hackers Is to automate login attempt against the WordPress administration dashboard. A raw install of WordPress doesn’t include the necessary restrictions and alerts to defend against this type of attack. This means that the hacker can continuously run login attempts without you ever knowing if you don’t install the right protection. The result is that you wake up to a completely hijacked WordPress account. The hacker could inject malware onto the site, place hidden links within the content, or redirect your site to the hacker’s server, which steals your traffic.
Anything the hacker does to your site can be devastating. The answer is to use a security plugin called WordFence. This tool lets you block suspicious login attempts, block denial-of-service (DoS) attacks, and monitor who successfully and unsuccessfully logged into your dashboard. Once you install Word Fence, you’ll be surprised at the number of malicious attempts target your site. Even small sites are targets for hackers who want to maliciously gain control of a WordPress blog.
Understanding Brute Force Cyber Threats The main reason for Word Fence is protection from brute-force cyber threats. Before you understand the importance for Word Fence, you should first understand the way brute-force attacks work. When you Install WordPress, you know that the wp-admin directory contains the dashboard login page. When you open the page, you enter your user name and password. If it’s correct, you gain access to the main dashboard. If you enter Incorrect Information, you’re given an error message with the login prompt to try again. You try again and either fall or succeed. You keep trying until your login attempt succeeds. This same concept is used for brute force cyber-attacks.
Since WordPress is a template-style site, everyone knows what directory contains the login dashboard. If you’re clever, you could change this directory, but it would require massive code changes. Not every site owner has these skills.
Brute force hacking takes the known directory that contains the WordPress dashboard login and automatically sends a user name and password. When the login attempt falls the script takes the next password on the list and tries again. The passwords can be a selection of dictionary words, a combination of these words, or even Just an automated attack that starts with the first letter of the alphabet and keeps adding characters until the password is cracked. For the common person, this concept seems like it could take years to crack a password. With good passwords and the right encryption, it can take decades to guess passwords. However, with poor passwords, they can be cracked in seconds.
Assume you have a password that’s one character in length. A character is 8 bits. The number of times a computer must guess a password Is 2 raised by the number of bits. With an 8-bit password 0 character), the computer must “guess” a password a maximum of 256 times.
With character passwords, the calculation is a bit different. Let’s say you have passwords that are all lowercase characters only. There are z6 characters in the English alphabet. If you have an 8-character password, the number of times an attacker must guess your password is 26 raised to the 8 or 26^8. When you add possibilities, you add to the base number. If you add capital letters, you double the base number to include lowercase and uppercase characters, which makes the calculation 5243.
Of course, the number of possibilities is large for humans to imagine, but for a computer the number is tiny. Modern computers can guess an 8-character lowercase password in seconds. For this reason, you always want to add complexity such as special characters, numbers and capital letters to your passwords.
Reviewing Word Fence Brute Force Attack Reports After installing WordFence, it starts working immediately. You’ll be surprised at the number of attacks you’ll see almost instantly. Even bloggers who have a few dozen visitors a day will see dozens of brute force attacks on the dashboard login.
Take a look at an image from a WordPress blog.
This blogger gets about 5o visitors a day, so the blog’s popularity isn’t very large. It’s a small-time blogger with a close circle of sharing, but the attacker was still able to find the biog., you know that this is a brute force attempt, because the same attempt was made doznes of time within several seconds of each other. Since scripts run quickly on computers, a hacker can send several guesses a minute.
Notice that the hacker already knows to use the “Admin” user name. Word Press automatically uses Admin as the user account when the site owner installs the software. Most people don’t change this user name, and this is one security mistake. The first security maintenance task that should be done on a Word Press blog is to change the Admin user name. This eliminates most of the brute for attacks, because they all use the Admin since its common. As the administrator, you can click the “block” link and stop the attacker. WordFence automatically detects the numerous login attempts and stops the attacker for a time, but manually blocking stops the attack permanently or unless the attacker changes IP addresses.
Some Considerations Before Using WordFence
WordFence works well, but sometimes it works a little too well. If you forget your password and attempt to login too many times, Word Fence can block you. In that case, you’ll either need to wait for some time or disable Word Fence manually by deleting the files from your host server. Both of these options are inconvenient, so the best course of action is to set Word Fence with just enough security to block hackers but let you easily obtain access.
WordFence has other options such as firewall protection and backup options. These options are secondary but beneficial for security. Take a look at the “Firewall Rules” section in the Word Fence settings.
Notice that you have the option to exclude Google search bots you should turn on this option to avoid blocking important bots. if you accidentally block them, your site could be removed from search engines. The important option on this page is the number of minutes a user is blocked if they exceed acceptable thresholds The image shows 5 minutes but remember that an attacker can restart the brute force attacks after 5 minutes. This also means you only have to wait 5 minutes if you accidentally use the wrong credentials too many times at a high frequency. Anywhere between 5 and 2o minutes is a good lockout time.
Once you set up these few settings, you can close the dashboard and let WordFence do its thing. Don’t be the victim of brute force hacking when you can easily set up WordFence to stop the attacks you might think that your blog is hidden and not a target, but after just one day of monitoring, you’ll see that you have attempts sent to your blog daily.