There’s been a lot of noise in the WordPress security community the last days about the increased XML-RPC attacks. Here at WPSOS we’ve noticed the same and can confirm the various reports on it.
However, we’ve also noticed an increase in brute force login attempts. These are robotic algorithms that every x seconds guess a username (often ‘admin’ or just the username that posted a blog post) and then cycles through common passwords (“12345678”, “asdf1234”, etc) until it eventually gets a hit… or is banned.
Although WordPress itself is taking various measures to try to limit this — the latest version, for example, forces the creation of substantially harder to guess passwords — the hackers are often one step ahead.
The brute force attacks are getting increasingly brutal. We’d definitely recommend stronger measures to protect your login pages.
But what measures in particular?
Our two favorite methods are:
- Use the .htaccess file to protect the login pages
- Change the URL of the login pages
This is in addition to – obviously – the more basic anti-brute force protections that are essential: long, complex, unique passwords that you don’t write on paper or email or share openly with anyone and don’t re-use, for example.
But more on that common sense in another post. As they say: common sense isn’t that common!