In today’s digital landscape, ensuring the security of our websites is more crucial than ever, especially when considering the potential vulnerabilities that come with poor password choices. Recent analysis of brute force login attempts on our WordPress sites revealed a staggering total of over 148,122 login attempts targeting a single real user account, with even more attempts across various accounts – during a 4-day period. None of these attempts were successful, thanks to security measures already in place. However, this incident emphasizes the urgent need to focus on improving our website security further.

Key Findings

• Username Targeting: Common usernames were frequently targeted during these attacks. Notably, usernames like admin, wwwadmin, wadminw, john (and other first names), username, and other predictable names were under constant threat.
• Aggressive Brute Force Attempts: Multiple IP addresses attempted to breach our sites, demonstrating a high level of malicious intent.

Despite the high volume of attempts, our proactive measures – including logging all login activity, removing users/usernames from sitemap.xml and the wp-json endpoint, and disabling xmlrpc.php – played a significant role in maintaining security.

Username Recommendations

To enhance security, consider the following recommendations regarding usernames:

• Avoid Admin: The username admin is by far the most used in brute force attacks. By not having a user account with this username is a significant security measure.
• Avoid Common Usernames: Steer clear of predictable usernames like admin, user, test, or any simple variations of personal names.
• Use Unique Usernames: Encourage the use of unique usernames that are not easily guessable to reduce the risk of targeted attacks.

The Importance of Strong Passwords

Even more critical than usernames is the choice of passwords. Many users tend to select passwords that are easily compromised. Below are examples of weak passwords that people often choose, which should be avoided at all costs (these are identified during recent brute force attacks):

• 123456
• 123456789
• 0192837465
• 0192837465z
• 000000
• 0000
• 111111
• 1111
• [USERNAME]2024 – where USERNAME is a real username revealed on the site / by WordPress. The year varies and may also represent a date.
• !@#admin
• admin@2024, admin@2023, admin@2022 – and so on
• password
• password123
• pass
• qwerty
• abc123
• letmein
• letmein123
• monkey
• iloveyou
• F*uckYou
• admin
• welcome
• 123123123
• 123123
• wordpress
• 12344321
• 0192837465z
• 1234[SITENAME] / 123[SITENAME] / 1234@[SITENAME] … – where SITENAME may be the domain name with or without TLD like .com/com
• admin!
• admin!@
• root
• admin888
• adminadmin
• administrator or Administrator
• webmaster
• administrador or Administrador
• Adminp@ssw0rd
• banana1
• blah
• blahblah
• blogger

Best Practices for Strong Passwords

To create strong passwords, consider the following tips:

• Length Matters: Passwords should be at least 12 characters long.
• Mix It Up: Use a combination of uppercase and lowercase letters, numbers, and special characters.
• Avoid Personal Information: Do not include easily accessible information such as birthdays or names.

As guardians of our websites, we must take every precaution to protect them – especially for the sites belonging to our children, who may unknowingly choose easily compromised passwords. While WordPress does share some user information, implementing additional security measures and promoting best practices for usernames and passwords can significantly bolster our defenses.

By prioritizing the security of our websites, we create a safer online environment for everyone. Let’s work together to educate our users on the importance of using unique usernames and strong passwords to enhance overall security.

This incident serves as a wake-up call: if you own a website, no matter how small, it’s crucial to protect it. Let’s talk about why this happens, what the risks are, and how you can fortify your site against these threats.

Why Are Hackers Targeting Your Website?

1. Automated Attacks
   Hackers often use bots to scan the internet for vulnerable websites, regardless of their size or popularity. These bots can automatically attempt brute-force attacks—trying hundreds or thousands of username-password combinations in a short time.
2. Low-Hanging Fruit
   Many attackers are opportunists, looking for websites with weak passwords, outdated software, or unprotected login forms. A WordPress site with weak security measures becomes a prime target.
3. Monetary Gain
   Successful breaches can lead to theft of sensitive data, redirecting your traffic, injecting malware, or even using your server to distribute spam or launch further attacks.
4. Compromise at Scale
   Hackers don’t need to care about your content. They care about gaining control of as many sites as possible to use them as part of a broader scheme. Your site could be used as part of a botnet to launch attacks against other websites.

What Are the Risks?

• Data Breaches
  A successful brute-force attack could expose your users’ data, leading to loss of trust and potential legal consequences.
• Downtime and Damage to Reputation
  Once compromised, your website may be taken down, defaced, or filled with malicious content, leading to a negative experience for visitors.
• SEO Penalties
  Search engines like Google penalize sites hosting malware or spam content, tanking your site’s rankings and visibility.
• Financial Loss
  Recovering from a hack can be costly—not just in terms of fixing the vulnerabilities, but also in terms of lost business, especially if your site is down for a prolonged period.

How Can You Protect Your Website?

1. Limit Login Attempts

As seen in today’s brute-force attempt on my site, limiting login attempts is essential. After three failed login attempts, my WordPress installation automatically blocks further attempts from the same IP. This feature alone can thwart the majority of brute-force attacks. You can use plugins to implement this.

2. Use Strong Passwords and Two-Factor Authentication (2FA)

Weak passwords are a hacker’s best friend. Ensure all users, especially admins, use strong, unique passwords. Adding two-factor authentication (2FA) creates an extra layer of protection. With 2FA, even if a hacker cracks the password, they can’t access your site without the secondary authentication code.

3. Install a Security Plugin

There are excellent security plugins like Wordfence and iThemes Security that monitor login attempts, scan for malware, and block known bad actors. These plugins provide detailed logs, so you can stay on top of security events like today’s attack.

4. Keep Your Software Up-to-Date

Whether you’re using WordPress, Joomla, or custom-built software, ensure all components—core software, plugins, and themes—are always up-to-date. Hackers frequently exploit vulnerabilities in outdated software. A single missed update can open the door to an attack.

5. Use HTTPS (SSL/TLS Encryption)

Secure your site with an SSL certificate to encrypt the data transferred between your site and your visitors. This protects against “man-in-the-middle” attacks and boosts your site’s credibility (and SEO ranking).

6. Implement a Web Application Firewall (WAF)

A Web Application Firewall sits between your server and incoming traffic, filtering out malicious requests before they reach your site. Cloudflare offers a basic WAF for free, but there are also premium options from services like Sucuri and Imperva.

7. Backup Regularly

Backups are your safety net in case of an attack. Set up automated daily backups to ensure that, even if the worst happens, you can restore your site quickly. Plugins can help manage this.

8. Block Suspicious IPs and Countries

If your site doesn’t serve visitors from certain regions, consider blocking traffic from those countries entirely. In today’s case, for instance, you might want to block the IPs from Indonesia that attempted the brute-force attack. This can be done via your firewall or security plugins.

9. Harden WordPress (or your CMS)

WordPress security hardening means taking extra steps like disabling file editing within the WordPress dashboard, changing the default login URL, and restricting access to sensitive files like wp-config.php. These measures make it harder for hackers to find weaknesses to exploit.

10. Monitor Activity

Set up logging to monitor user activity, login attempts, and file changes. This will help you spot suspicious activity early and take action before things escalate.

Conclusion: Security is Not Optional

Every website is a potential target, whether it’s a small blog or a major e-commerce platform. Hackers are becoming more sophisticated, and the tools they use to compromise sites are more readily available than ever. While no system can be 100% secure, taking these steps can drastically reduce your chances of being hacked.

The incident today underscores just how crucial these measures are. Even though my site was targeted by over a thousand login attempts in a matter of minutes, the protections I had in place—limiting login attempts and blocking IP addresses—ensured that it remained secure.

Security is not just an IT concern—it’s an essential part of running a website. By implementing the right protection measures, you can make the online world a safer place, one website at a time.