The tools and techniques discussed in this post should only be used against sites that you own or that you have permission to test. This post is intended for site owners and administrators to test the security of their own assets and should not be used to gain unauthorised access to someone else’s property. Be responsible.
If you have any sort of Internet accessible WordPress site, it’s a good idea to keep it secure from attackers.
One of the most common attacks Website owners will face is brute-force login attempts where an attacker will try and compromise your website by “guessing” your password by force. Particularly if you have multiple users all with login accounts. The security of your site is only as good as the weakest user account.
What this means is attackers will use automated tools and readily available dictionaries of commonly used passwords that continuously try to login to your site. These attacks can test thousands of different password combinations in a matter of minutes, so if your passwords are easy to guess, no doubt they’ll be easy to break.
In this post I’m going to demonstrate how this works.
I’ve set up a WordPress site to test against and I’ve given the user account a trivial password. For the sake of demonstration I’ve made this password very easy to break.
I’m going use the brilliant tool wpscan to check my WordPress site for weak user accounts.
wpscan is able to scan a WordPress site for vulnerabilities that an attacker can exploit, allowing you to find and patch the issues before the attackers do.
Kali Linux comes with wpscan ready to go, so from the command line run the following command:
$ wpscan --url http://wordpress.local --enumerate u - ~/Downloads/rockyou.txt
–url tells wpscan the website address to scan. Mine is set to http://wordpress.local.
–enumerate u tells wpscan to try and find the user accounts on the site. This isn’t terribly difficult on WordPress sites because if a user has posted a blog article for example, their user account is connected to the post.
The last argument -P tells wpscan to use the following wordlist to find the password. I’m using the file rockyou.txt which is a freely available and very well known textfile containing thousands of possible passwords.
The scan only took a few seconds to find my terribly insecure password giving an attacker admin access to my website.
While this is a trivial example, unfortunately it’s far too common. Having any sort of Website is going to attract bots and automated scanners of all kinds.
The WordPress security plugin Wordfence shows a list of failed login attempts on your WordPress dashboard and it can be quite confronting the first time you see many failed logins on your site.
So what can you do to prevent brute-force password attacks like this?
Well, for starters you should pick stronger passwords. Any dictionary word, or persons name, even with letters changed to numbers or various punctuation symbols are all ineffective passwords. I won’t go into depth on password security here, but a strong password is harder to break.
You should also consider setting up login security. Wordfence provides Multifactor Authentication that forces you to login not only with your password, but with something else as well, such as a randomly generated code. MFA protects your site because even if an attacker can crack your password, they still wont be able to login unless they also have access to your MFA code.
Another Wordfence feature that I’d recommend is to limit login attempts. Brute-force attacks by definition require many attempts. If you don’t limit the amount of times an attacker can try to login they can essentially keep going forever. Most of us have been locked out of an Online account at some stage because we’ve entered the wrong password too many times. This is a feature of login security.
By restricting the amount of attempts an attacker can make, you can stop brute-force attacks before they begin.
Testing the security of your login accounts is an important step to securing your website. By running a scan such as this you’ll find vulnerabilities such as weak passwords before the attackers do.