Wordpress Security Tips: Cryptanalytic Attacks

August 2, 2013

5 min read

Ever heard of the largest self-hosted blogging tool in the world? It's called WordPress, and it is used by millions of businesses, professionals, freelancers and the average conversationalists alike. In the ten years since its inception, it has grown a wealth of viewers and users, and has ultimately become one of the leading pioneers in the world of blogging. Matt Mullenweg and the rest of his team created the contender it has become today; a virtually untouchable blog publishing application, and it doesn't look like it's coming down from its throne anytime soon. However, with that great power and prestige comes curious attackers, who try and will try again to hack into the website to pry open its secrets and company information. And losing the reputation of being safe and secure can have a big impact on any website.

Since WordPress's popularity has grown tremendously, there has been a large and rapid increase of ongoing attacks against its sites. A series of botnets are being used to brute-force attack WordPress sites. The attacks are in the form of hackers attempts at different username and password combinations. Just the right combination of characters will lead to a very scary reward of valid credentials and complete access into the site. The majority of these attacks are attempts at trying to find the password for variations of the administrator, which could range from "admin," "administrator," "Admin," and so on. For example, if one of these botnets tried to figure out "morsecodemedia" login information, it would try logging into the www.morsecodemedia.com website and entering in different information and combinations of researched information and sheer guesses. An actual reality for the modern state of website attacks and how they operate can be a frightening everyday occurrence.

In fact, I've come to learn that over 10 percent of all web attempts involve the use of, "editor" or "moderator," continuing the theme of the username being the permission level of that user. There is a pattern to these attacks, and if you or your company has experienced this type of virtual assault, I'm sure you've seen them first hand. Patterns are reliable and systematic. Intelligent solutions are formed by finding the pattern to these kinds of attacks. There is almost always a clear patterns to how usernames and passwords are being attempted that go a little beyond just trial and error.

Over the years, more and more sites have been providing users with password strength meters in order to create effective and difficult-to-hack password solutions. This is, of course, because of the natural tendency to choose passwords that are easy to remember, or guess if you've forgotten. The unfortunate reality is that the easier the password is for you to figure out, the easier a job you're making for the hackers whose mission it is to figure it out.

So what exactly makes a bad password? According to SplashData, a company that specializes in password management applications, these are the top 25 worst passwords of 2012:

  1. password - unchanged from 2011
  2. 123456 - unchanged from 2011
  3. 12345678 - unchanged from 2011
  4. abc123 - up 1 spot from 2011
  5. qwerty - down 1 spot from 2011
  6. monkey - unchanged from 2011
  7. letmein - up 1 spot from 2011
  8. dragon - up 2 spots from 2011
  9. 111111 - up 3 spots from 2011
  10. baseball - up 1 spot from 2011
  11. iloveyou - up 2 spots from 2011
  12. trustno1 - down 3 spots from 2011
  13. 1234567 - down 6 spots from 2011
  14. sunshine - up 1 spot from 2011
  15. master - down 1 spot from 2011
  16. 123123 - up 4 spots from 2011
  17. welcome - new to the top 25 list
  18. shadow - up 1 spot from 2011
  19. ashley - down 3 spots from 2011
  20. football - up 5 spots from 2011
  21. jesus - new to the top 25 list
  22. michael - up 2 spots from 2011
  23. ninja - new to the top 25 list
  24. mustang - new to the top 25 list
  25. password1 - new to the top 25 list

SplashData's top 25 list was compiled from files containing millions of stolen passwords posted online by hackers. Creating stronger usernames and passwords is just one of the critical steps into developing a more secure WordPress site. There are a lot of other routes to take in order to increase the efficacy and safety of one's website. Making sure your WordPress core, plugins and themes are up-to-date is a start. Most of the updates that are rolled out are security updates. Also, removing the full WordPress version info from the meta data as well as removing the display version will avoid letting hackers know what your specific security issues are in the core of your site and where exactly to attack.

As stated earlier, remove the "admin" username from your list of users. Also, check the users' password strength with a brute-force attack. This will ensure that users cannot use one of the 600 most commonly used passwords. There are plenty of plugins that will help you in this area. Lastly, change the default table prefix from "wp_" to something less obvious.

These are just some of the WordPress security tips that can help you avoid an attack, which could cost your website's reputation and safety; two valuable assets you can't afford to risk. What other security tips do you focus on when working with WordPress? Let me know on Twitter @morsecodemedia.