The WordPress log in page, is an elegant, unsecured page, that can easily be brute-forced. Since most of the default installs are using admin as the main administrator username, it is very easy for an intruder to go inside an administrator account. Being in an administrator account brings a lot of privileges for the intruder to perform numerous attacks on the server, gather sensitive information, or even access the database.
A lot of password brute-forcing tools are available everywhere on the internet. I myself can write one in PERL. The brute-forcing process can be very long, depending on the user’s password, and the attacker’s connection speed. If the script/program will be hosted on a fast server, provided with multi-threading support, the speed will be instantaneous. The chance of a brute-force attack to succeed will depend on the attacker’s password dictionary.
A Solution for WordPress
Luckily, it’s very easy to prevent this kind of attack. I found a plugin named Limit Login Attempts.
Limit the number of login attempts possible both through normal login as well as (WordPress 2.7+) using auth cookies.
By default WordPress allows unlimited login attempts either through the login page or by sending special cookies. This allows passwords (or hashes) to be brute-force cracked with relative ease.
Limit Login Attempts blocks an Internet address from making further attempts after a specified limit on retries is reached, making a brute-force attack difficult or impossible.
- Limit the number of retry attempts when logging in (for each IP). Fully customizable
- (WordPress 2.7+) Limit the number of attempts to log in using auth cookies in same way
- Informs user about remaining retries or lockout time on login page
- Optional logging, optional email notification
- Handles server behind reverse proxy
Translations: Bulgarian, Catalan, Chinese (Traditional), Czech, Dutch, French, German, Hungarian, Norwegian, Persian, Romanian, Russian, Spanish, Swedish, Turkish
Plugin uses standard actions and filters only.
You can download the plugin HERE.