What a Brute Force attack on a WordPress website looks like – and what you can do about it

Over the last year and a half, my website has occasionally been subject to brute force attacks. As in most of these attacks against WordPress sites, an automated network of one or more computers sends an enormous amount of traffic to your WordPress login page in an attempt to break into your site. These attacks got more frequent earlier this year, and I finally had to take additional steps to ensure my site did not go down due to these attacks.

Recently, I saw how my new measures protected me from one of these attacks. I’d like to show you what this type of attack looks like behind the scenes. On a typical Monday, my site gets 6,000 to 7,000 requests (my site traffic has a pattern across the days of the week). Of these requests, typically 200-300 are blocked by the service I use, Sucuri, because they are attempts to break into my site through a variety of methods. Here is what a typical Monday looks like statistically (screen shot from Monday March 24, 2014):

TypicalTraffic

 

On Monday March 31, 2014, the automated network attacked my site. Here is the same statistic from that day:

BruteForceTraffic

More than ten times the typical number of requests, with 92% of them being blocked. The cause of 99.7% of the blocked requests? A brute force attack. Here is a sample of the details of the brute force requests that were blocked:

AttackDetails

You can see that they are all trying to access my WordPress login page (wp-login.php) and there are multiple requests per second. Because these requests were blocked before they even got to my site, my site was not affected. It stayed online and the server did not overload.

So what am I doing to protect my site from these attacks? Let me walk you through the two steps I took and what they did to help.

The first step I took was to use a WordPress plugin called All In One WP Security & Firewall. It is a good plugin and one I highly recommend you use on any WordPress site, even if you don’t think you have a problem with attacks right now. Among the many features it has, it allows you to see who is trying to log in to your site and from where. I started with this approach and blocked the IP addresses that I saw attempting to log in every hour. This is good, but it will not prevent a brute force attack unless it comes from one of these IP addresses, which is unlikely.

So I had to take the next step and pay for a cloud proxy service. The one I chose was Sucuri because my server company and WordPress recommended it. What this service does is stand between your visitors and your website and filter all requests to your site. They check for a huge number of potential problems. Once I started looking at their reports, I saw so many attempts to get into my site that I never even knew were happening. This is the service that blocked the brute force attacks. They stop the request before it ever reaches my site, making sure that the server does not get overloaded. It is their information you see in the screen shots above. At only $10 per month, this was a no brainer for me.

If you run a WordPress site, I suggest you use the security plugin I mentioned above. It will protect most small sites. If you get on to the list for the brute force hackers, you will need to move to a cloud proxy service to protect your site. I hope this gives you a better understanding of what this sort of attack looks like and some steps you can take to deal with it.