Aggressive Brute Force Wordpress Attack

Discussion in 'Wordpress Support' started by UK Business Directory, Dec 20, 2017.

Thread Status:
Not open for further replies.
  1. UK Business Directory

    UK Business Directory UKBF Contributor Full Member

    82 17
    A massive distributed brute force attack campaign targeting WordPress sites started on the 18th December 2017 at 3am Universal Time, 7pm Pacific Time. The attack is broad in that it uses a large number of attacking IPs, and is also deep in that each IP is generating a huge number of attacks. This is the most aggressive campaign we have seen to date, peaking at over 14 million attacks per hour.

    The attack campaign was so severe that we had to scale up our logging infrastructure to cope with the volume when it kicked off, which makes it clear that this is the highest volume attack that we have seen in Wordfence history, since 2012.

    The campaign continues to ramp up in volume during the past hour as we publish this post. A graph of the attack volumes is shown below which shows the number of attacks per hour and the number of attacking IPs that we see each hour.

    A possible explanation for this new massive increase in brute force attacks
    On December 5th, a massive database of hacked credentials emerged. It contains over 1.4 billion username/password pairs. Approximately 14% of the database contains credentials that have not been seen before. The database is also searchable and easy to use.

    Historically, brute force attacks targeting WordPress have not been very successful. This new database provides fresh credentials that, when matched with a WordPress username, may provide a higher success rate for attackers targeting sites that do not have any protection.

    Read more at: https://www.wordfence.com/blog/2017/12/aggressive-brute-force-wordpress-attack/
     
    Posted: Dec 20, 2017 By: UK Business Directory Member since: Nov 16, 2016
    #1
  2. Violinni

    Violinni UKBF Regular Free Member

    125 12
    Bruteforce attacks cannot really do any damage to you, if you know what you’re doing.

    For WordPress, I use 2 plugins that stop all attacks, one of them is a Premium one.

    I also use a password generator to create a 20-character random password like this one:
    CswKjv&#4G)8!#W6$[Q}

    I also hide my WP version, my login panel, and I setup my plugins to automatically block more than 3 login attempts.

    Aaand...I add a few tweaks more.
     
    Posted: Dec 22, 2017 By: Violinni Member since: Dec 21, 2017
    #2
  3. fisicx

    fisicx It's Major Clanger! Staff Member

    32,730 9,704
    Except: https://xkcd.com/936/
     
    Posted: Dec 22, 2017 By: fisicx Member since: Sep 12, 2006
    #3
  4. Violinni

    Violinni UKBF Regular Free Member

    125 12
    Posted: Dec 23, 2017 By: Violinni Member since: Dec 21, 2017
    #4
  5. fisicx

    fisicx It's Major Clanger! Staff Member

    32,730 9,704
    Did you read what it said? Random character strings are no more secure than a string of words.
     
    Posted: Dec 23, 2017 By: fisicx Member since: Sep 12, 2006
    #5
  6. Violinni

    Violinni UKBF Regular Free Member

    125 12

    Then why websites started asking us to use symbols and capital letters and numbers all mixed in, and they started asking us now?
     
    Posted: Dec 23, 2017 By: Violinni Member since: Dec 21, 2017
    #6
  7. fisicx

    fisicx It's Major Clanger! Staff Member

    32,730 9,704
    It’s because they think it’s more secure. It’s not.
     
    Posted: Dec 23, 2017 By: fisicx Member since: Sep 12, 2006
    #7
  8. Violinni

    Violinni UKBF Regular Free Member

    125 12
    For my most important passwords I always used a combo of weird words. But for not that important websites I use a password manager that auto-generates a random bunch of symbols.

    That’s something new I will dig into.

    Thanks for the info!
     
    Posted: Dec 23, 2017 By: Violinni Member since: Dec 21, 2017
    #8
  9. alex3215

    alex3215 UKBF Contributor Free Member

    32 3
    Hahahaha "correct horse battery staple" its almost 2AM and I'm reading this :D
    But it make sense :D
     
    Posted: Dec 24, 2017 By: alex3215 Member since: Dec 18, 2017
    #9
  10. Alan

    Alan UKBF Legend Full Member - Verified Business

    6,549 1,808
    There are three forms of password attack, password generation, dictionary attack and leaked credentials.

    With current processing power, 9 random characters are enough to make sequential generation ineffective.

    With dictionary attacks, where passwords are matched against a combination of words, 4 words give sufficient combination, so indeed "correct horse battery staple" is a safe password, well it was until 2 seconds ago.

    The latest attack is leaked credentials - that is where a database has been built up of user name / password combinations that has been obtained by hacks. This attack works on the basis that people use the same password for multiple services, even 20 character random is pointless if used on 2 sites.

    So to be secure either
    1) use random characters, over 9 in length ( 20 is so much better) - but then you have use a password manager BUT NEVER use the same password on different sites
    2) use at least 4 dictionary words, that way you can possibly remember passwords without a password manager
    BUT NEVER use the same password on different sites, this creates a challenge to remember without some 'scheme' that helps you remember


    BUT password are inherently insecure due to phishing attacks, so if you can ever add an extra layer of security, e.g. 2 factor authentication - do so
     
    Posted: Dec 25, 2017 By: Alan Member since: Aug 16, 2011
    #10
Thread Status:
Not open for further replies.