6 Million Password Attacks in 16hours? How to Block Them
Last week the President of USA implored Americans to move beyond a simple password – as per President’s cyber security op-ed in the Wall Street Journal – and instead to enable two factor authentication or cellphone sign-in.
One of the things that Wordfence monitors is the number of brute force attacks on WordPress websites. Brute force attacks are password guessing attacks, where an attacker tries to sign in as you by guessing your password.
To give you an idea of the level of attacks in the wild, they gathered data on brute force attacks across the sites Wordfence protects within a 16 hour window starting Sunday until Monday (14th to 15th) at 2pm Pacific time.
During that time (only 16 hours) there were a total of 6,611,909 attacks targeting 72,532 individual websites, from 8,941 unique IP addresses and the average number of attacks per victim website was 6.26.
What can you do to protect yourself?
Firstly, make sure you’re running a security network plugin on your WordPress installation.
I use the free version of Wordfence, please make sure that you have the “Wordfence security network” feature enabled. It is enabled out of the box and if you get a failed login from an IP address, Wordfence will contact their cloud services to find out if that IP is one of the known attackers. If it is, it will immediately be blocked from signing in, protecting your site from a brute force attack. The attacker won’t even get the standard 3 or 5 tries before they get locked out.
Go Deep on Password Security
Password security is a big subject and to fully understand why strong passwords are important and how attackers target weak passwords, you need to gain an understanding of hashing, password salts and attack methods like rainbow tables, how salts work and why modern GPU’s give attackers a huge advantage.
Wordfence has created a comprehensive lesson that explains all of this and much more, including emerging improvements in password algorithms. The lesson is designed to be a place that teachers and university professors can send their students to get a primer on password security and password authentication.
If you want to read the full article please visit Worfence article.