What Is A Brute-Force Attack?

Published 17 June 2021
Updated 18 July 2023
Darius Sveikauskas
Bounty & Data Overlord
Table of Contents

A brute-force attack is an attempt to discover a password for a valid user account by using predefined values. The most common example is the dictionary attack.

Dictionary attacks often succeed because many people tend to use short passwords.

Other forms of brute force attack might try combinations of letters and numbers.

Automated software is often used to guess thousands of password combinations.

What we’ve seen

Hackers are using brute-force attacks to break into WordPress sites, then compromise them by uploading malware via the theme or plugin editor.

A typical attack looks like this:

The attacker, usually a web bot attempts to log into WordPress:

200 POST /wp-login.php
Response body:
log=admin&pwd=1234567&redirect_to=http://targetsite.com/wp-admin/&testcookie=1

When succeeded, opens the theme editor:

200 GET /wp-admin/theme-editor.php?file=404.php&theme=twentyseventeen

Injects a PHP backdoor (malware) into 404.php file.

200 GET200 POST /wp-admin/theme-editor.php
Response body:
_wpnonce=74ac14146e&_wp_http_referer=%2Fwp-admin%2Ftheme-editor.php%3Ffile%3D404.php%26theme%twentyseventeen&newcontent=...&action=update&file=404.php&theme=twentyseventeen&scrollto=0&docs-list=&submit=Update+File

Why do hackers target WordPress?

There are a few reasons:

  • They want to gain access to your site’s data
  • They want to include ads, pop-ups, redirects & other malware
  • They want to use it to send out spam email

How to prevent Brute Force Attacks?

Limit the Login Attempts
You can protect your site against brute-force attacks by limiting failed login attempts.

Captcha
Generally, bots are not capable of solving a captcha and this helps to slow down brute force attempts. You can use Patchstack to add invisible captcha to your site.

what is brute-force attack

Restrict access to the WordPress login page
Another way to protect your site against brute-force attacks is by restricting access to the WordPress administration page.

For example, when you use CAPTCHA protection, your server resources are still utilized to fetch and display the WordPress login page. You can restrict access to /wp-login.php to only your IP via your .htaccess file.

Example:

Order Deny, Allow
Deny from All
Allow from YOUR_IP_ADDRESS

Use strong passwords
Password security is often overlooked. The success rate for a brute-force attack depends on the password length and complexity.

Read more about how to manage and create secure password easily here.

Disable file editor
A good practice is to disable the file editor in WordPress. In the example above, the attacker uses the file editor to write attack code (the “payload”) to a 404.php file.

To disable the editor, you need to add define( ‘DISALLOW_FILE_EDIT’, true ); to your wp-config.php file.

The latest in Security advice

Looks like your browser is blocking our support chat widget. Turn off adblockers and reload the page.
crossmenu