ThreatPress Security Suite

A Brute-Force attack is the most popular attack vector

What is brute-force attack?

A brute-force attack is an attempt to discover a password for a valid user account by using predefined values. The most common example is the dictionary attack. Dictionary attacks often succeed because many people tend to use short passwords. Other forms of brute force attack might try combinations of letters and numbers. Automated software is often used to guess thousands of password combinations.

What we’ve seen lately

Hackers are using brute-force attacks to break into WordPress sites, then compromise them by uploading malware via the theme or plugin editor.

A typical attack looks like this:

  • The attacker, usually a web bot attempts to log into WordPress:
    200 POST /wp-login.php
    Response body:
  • When succeeded, opens the theme editor:
    200 GET /wp-admin/theme-editor.php?file=404.php&theme=twentyseventeen
  • Injects a PHP backdoor (malware) into 404.php file.
    200 POST /wp-admin/theme-editor.php
    Response body:

WordPress malware injection
WordPress PHP malware backdoor

Why do hackers target WordPress?

There are a few reasons:

  • They want gain access to your site’s data
  • They want to include ads, pop-ups, redirects & other malware
  • They want to use it to send out spam email

How to prevent Brute Force Attacks?

Limit the Login Attempts
You can protect your site against brute-force attack by limiting failed login attempts. You can use our ThreatPress – Security and Monitoring plugin for that. After reaching a specified limit on login retries, the plugin disables the login function for some time period.

Generally, bots are not capable of solving a captcha and this helps to slow down brute force attempts. You can use our Google Invisible reCaptcha by ThreatPress plugin.

Restrict access to the WordPress login page
A very effective way to protect your site against brute-force attack is by restricting access to the WordPress administration page. For example, when you use CAPTCHA protection, your server resources are still utilised to fetch and display the WordPress login page. You can restrict access to /wp-login.php to only your IP via your .htaccess file.

Example below:

Order Deny, Allow
Deny from All


Use strong passwords
Password security is often overlooked. The success rate for brute-force attack depends on the password length and complexity.

Disable file editor
A good practice is to disable the file editor in WordPress. In the example above, the attacker uses the file editor to write attack code (the “payload”) to a 404.php file. To disable the editor, you need to add define( ‘DISALLOW_FILE_EDIT’, true ); to your wp-config.php file.

Darius S.

Similar Posts

WooCommerce security

How to improve WooCommerce security

Setting up a new WooCommerce store is a big step in anyone’s business. Now, you can turn your WordPress site into an online store, and ...

WordPress hacking

Why do WordPress sites get hacked?

Why Do WordPress Websites Get Hacked? It seems that some websites are more susceptible to hackings than others. There’s a lot of factors ...

Poor coding - WordPress hacking risk

Poor coding puts WordPress sites at risk of hacking

WordPress is easily the world’s most popular content management system. It is used by more than 75 million websites, with 22% of new U.S. ...

Leave a Reply

Your email address will not be published. Required fields are marked *