In this article we’ll address the following questions
- Why am I receiving a “Failed login” notification?
- How can I tell that I’m under attack?
- What did I do to expose myself to an attack?
- What are the consequences if an attack is successful?
- How do I better protect my website?
What is happening to my website?
If you made it to this page, you’re probably wondering why you’re receiving several failed login attempt notifications in your WordPress dashboard and email inbox. For most of you, this means that you are under something called a brute force attack. A brute force attack is when a cyber criminal tries to guess your website username and password in a highly repetitive process while often using sophisticated programs to do so. These attacks are the second most common threat to website owners (Faulty plugins are #1).
Brute force attacks are popular with cyber criminals because they are simple and reliable. They often let the computers do the work by trying hundreds of thousands of username and password combinations until they figure it out.The best way to fight back against the attacks is to stop them in progress: If they make it through, it might be too late.
How can I validate if this is an actual brute force attack?
There are times when you’ll have friendly programs or users that will be the cause of failed login attempt notifications. An easy way to check if the attack is legitimate is to copy the IP address from the lockout notification, and go to https://whatismyipaddress.com/ip-lookup. Enter in the IP address to see if you recognize the location. If the location is not somewhere you recognize, then you are probably under an attack. You might notice dozens or hundreds of IPs each day.
What is considered a serious attack?
We consider any attack serious whether it’s a few attempts or thousands. Keep in mind that cyber criminals have advanced algorithms and machine learning capabilities to improve their chances at guessing every time they try: This means that they don’t need very many tries to break through. The more serious attacks will slow down your site to the point where your customers will have a difficult time using it. This can last for several minutes, hours, or days.
I think these attacks might be fake, what is going on?
Some users feel that it’s impossible to receive so many failed login attempts, especially since they’re site was just created or they have minimal human traffic. Let us be clear that these failed login attempts are NOT generated by the plugin. New websites are often hosted on shared IP address, which make it very easy for hackers to find. Also, new domain names are often crawled once they are created, so as soon as a WordPress website is built on it, it’s vulnerable to attacks. New websites are often the best target since security is not top of mind for new site owners.
Try our premium cloud app for advanced protection for only US $7.99/month!
Why my website?
Greater than 99% of brute force attacks are chosen at random, so don’t waste any of your time trying to investigate. Cyber criminals will create programs that crawl the internet and choose their victims arbitrarily. Since the beginning of the COVID-19 pandemic, brute force attacks have increased significantly since more people are working from home. An April 2020 report from Kaspersky found that the number of brute force attacks on Remote Desktop Protocols (RDPs) increased 400 percent in March and April.
What happens when an attack is successful?
Once the site is compromised, it will start sending out spam or bogus traffic to other sites. This is how the attackers make money. There are some cases where they will ask for a ransom to give you back access to your site. Here are a few other things that will happen.
- Exploitation: Your website is used as a staging ground to perform attacks on other websites.
- Data theft: Customer account data is stolen and used for other scams such as phishing.
- Malware: Your site is infected with malicious software that damages devices, steals data, and causes chaos.
Your business could incur major financial loss and temporary removal from the Google index if an attack is successful.
Some of the most common symptoms of a successful brute force attack are degraded site performance, page redirects to online scams, and unusual email activity from your domain. If you believe you’ve been a victim of a successful brute force attack, call your hosting provider IMMEDIATELY for further instruction.
How can I better protect my website?
There are many ways you can protect your website from brute force attacks.
- Stop them in progress. Let’s face it, you are not going to be able to stop attacks permanently. But by installing Limit Login Attempts Reloaded, you will be able to stop the bots from trying an excessive amount of combinations. Keep in mind that stopping the attacks causes additional load on your site resources, and could compromise performance. This is why we created a premium service to absorb the traffic from brute force attacks so your website runs at its peak performance. We highly recommend subscribing to this service if you are experiencing daily attacks.
- Make your admin passwords VERY STRONG. Use at least 10 characters with uppercase, lowercase, numbers and special characters. An example of a strong password would look like this Ah0BhYSF+EZ4Ph%Nw*nU9?jiRj (This is an example, DO NOT use this as your password). WordPress has an excellent built-in password generator. Use it.
- Change your admin username to something UNIQUE. Most cyber criminals know that WordPress admins typically use the name “user” or “admin”. Change to something unique like Rtfd456 (Again, this is an example, don’t use this as your username). This will make their guessing much more difficult.
- Change your WordPress login URL (VERY ADVANCED). Cyber criminals know that most WordPress sites use the generic login URL that comes out of the box. By modifying this URL to something different (i.e. /logmein), they will have a difficult time establishing the attack (keep in mind that most brute force attacks are using a program with pre-defined conditions). Before you decide to do this, please consult with a WordPress technician or developer. If you change this URL without proper knowledge or assistance, you could cause serious damage to your website.