This Is How WordPress Sites Are Attacked Almost a Billion Times a Month

Jan Hornung Last updated 23.01.2020
4 Min.
Brute Force attacks

In May 2017 alone. WordPress sites almost one billion times with so-called Brute Force attacks bombarded. This makes automated login attacks by far the biggest threat to WordPress -WordPress projects. Fortunately, you can quickly and effectively protect yourself against the login flood. Because Brute Force attacks are easy to fend off.

There are burglars who plan their coup for years, put together a capable team, rappel down from roofs at night and crack safes by ear. And then there are people who smash a shop window with a rock. This category includes Brute Force attacks, by far the most common attacks on WordPress sites .

The idea behind Brute Force attacks is relatively simple: Hackers try to guess username and password to gain access to the WordPress dashboard. So it does not necessarily require in-depth knowledge or a large technical infrastructure to carry out such an attack successfully. A list of passwords and usernames and a short script is all that is needed.

This is also reflected in the sheer number of attacks. According to measurements by the security provider Wordfence , there were around 900 million Brute Force attacks on WordPress sites in May 2017. In April, there were even 1,380,000,000, or 1.38 billion attacks. And because approximately 28.3 percent of the world's 10 million largest websites are currently running at WordPress , this volume of attacks poses a major threat to the Internet as a whole. Or at least a potential one. Because you can defend yourself against these attacks very easily.

That's why I'm going to explain to you today how Brute Force attacks work and how great the risk is for your site.

It's the crowd that counts

Brute Force Attacks are basically unimaginative. Hence the name: brute force, which in German means something like brute force.

A single hacker would need ages to try out the username "admin" alone with, say, a list of the 500 worst passwords. The romantic idea that sites is hacked by individuals who manually type in every possible password does not correspond to reality.

Hackers automate their work processes. They work with bots, i.e. programs that automatically attack WordPress attacksites automatically. These bots can also be linked together in thousands in large networks - so-called botnets.

Bots know the vulnerabilities of their victims very well. Botnets in particular manage to check numerous IPs and thus countless websites simultaneously and at lightning speed for flaws in the security architecture.

Once they have found a website with a corresponding vulnerability, they attack over and over again and automatically test tens of thousands of the most common passwords and usernames until they have gained entry. Freely available databases that list the most common passwords from various platforms and networks make their job even easier.

It is precisely this automation that is the dangerous thing about Brute Force attacks. Even if you are running a relatively unknown website, whose limited reach makes it unattractive to human hackers, you may still be caught in the crosshairs of a bot or botnet. Bots do not distinguish between large and small websites. They only distinguish between good and badly secured ones. And because so many are listed sites under WordPress run, the probability of a poorly secured WordPress site to bump of course larger than with other CMS.

Data and reach, that's the booty

But why do hackers also target small websites with their botnets? In principle, it's always about two resources: data and reach. Because both can be sold or rented out, i.e. monetized. To do this, the target pages are usually infected with malware.

With this, the hacker can then do the following, for example:

  • Send spam mails from your site that land directly in the mailboxes of your recipients.
  • Integrate your site into a botnet and abuse it for further attacks
  • Tap into your customers' or community members' databases and steal sensitive data
  • Host illegal content with you
  • Redirect your traffic

The danger is steadily increasing, just like the WordPress market share.

Becoming the victim of a successful Brute Force attack is therefore no trivial matter. But what is the risk of hackers attacking yourssite ? To assess the risk, it is worth taking a look at the available figures.

Number of Brute Force attacks in millions and market share of WordPress.
Number of Brute Force attacks in millions and market share of WordPress.

The share of WordPress sites is steadily increasing, while the number of Brute Force attacks, on the other hand, fluctuates greatly. In some cases, this is because larger botnets were active during this period. For example, a botnet of home routers was active in April 2017.

Of course, only failed attacks that were prevented by the respective security software are included in these statistics. Successful Brute Force attacks are therefore not counted here. Neither are attacks on sites , which do not have the Plugins from Sucuri or Wordfence installed.

You can tell by the sheer number of attacks: Anyone who runs a website without protection is guilty of gross negligence. Because there are millions of attacks against WordPress sites I drove. Fortunately, protection against Brute Force attacks is relatively easy.

Theoretically very dangerous, practically easy to handle

In principle, effective protection against Brute Force attacks is based on two mechanisms: secure passwords and effective blacklisting. Because if your credentials are hard to guess and are changed regularly, and if you lock out attacking IPs and regions with particularly aggressive IPs, you massively reduce the risk of a successful hack.

Even if the pure numbers show that Brute Force attacks are a serious danger for your WordPress sites are - which, thanks to automated attacks and the large number WordPress in practice, they are almost only successful with careless site operators.sites

RAIDBOXER from the beginning and Head of Support. At Bar- and WordCamps he loves to talk about PageSpeed and website performance. The best way to bribe him is with an espresso - or Bavarian pretzel.

Related articles

Comments on this article

Post a comment

Your email address will not be published. Required fields are marked with *.