According to the Wordfence Threat Intelligence team, one of the most frequent types of attacks against WordPress websites in 2020 was the malicious login attempt.
This type of attack includes credential stuffing using lists of stolen credentials, dictionary attacks, and traditional brute-force attacks.
- Credential stuffing is the automated injection of breached username/password pairs in order to gain access to user accounts. This is a subset of the brute force attack whereby large numbers of stolen credentials are automatically entered into websites until they are potentially matched to an existing account, which attackers can then hijack for their own purposes.
- Dictionary attacks are another form of brute-force attack whereby the cyber criminal uses automated tools to try thousands or millions of likely password possibilities, such as words in a dictionary.
- Brute-force attacks entail the repeated and systematic submission of different usernames and passwords in an attempt to eventually guess valid access credentials.
This resource-intensive, trial-and-error method usually involves the use of automated tools, scripts or bots that cycle through every possible combination until access is granted.
Playing the Odds
Last year, the security plugin Wordfence blocked more than 90 billion malicious login attempts from over 57 million unique IP addresses. This equates to a rate of 2,800 attacks per second targeting WordPress sites. And these are the findings of only one detection tool. The real number of malicious login attempts globally is far greater.
While the vast majority of malicious login attempts are destined to fail, it only takes a single successful login to compromise a WordPress site. The brute-force mitigation provided by Wordfence is very effective, and with the addition of multi-factor authentication, adds an essential layer of protection to WordPress logins.
An example of multi-factor authentication is the use of a special code sent to a smartphone. The login process cannot be completed without entering the valid code.
The Wordfence Threat Intelligence team noted that multi-factor authentication can completely prevent attackers from gaining access to a site via automated login attempts. This holds true even in cases where site administrators are reusing credentials that have been exposed in a data breach.
Beyond gaining access to WordPress websites, password cracking attacks can also be used to gain access to user, email, banking and cloud accounts and to compromise APIs or any other service that requires access credentials. In these cases too, multi-factor authentication can greatly reduce the likelihood that your digital assets will be compromised.
Don’t wait to become a victim… Ask your website administrator how your company is being protected against malicious logins.
Nathan Muller is the author of 29 technical books and over 3,000 articles that have appeared in 75 publications worldwide. He also writes articles, blogs and social media content for tech companies and their executives.