If you have a WordPress site, someone is likely trying to guess your username and password combination. It is easily the most common attack against these sites. This is because it’s an easy attack to automate and undoubtedly it pays off occasionally.  In this post, I’ll show you some common methods attackers use to guess your username and password, and then show what happens when you implement simple defenses.

WordPress Login FormSimply, this attack is when someone tries to guess your password. An attacker will use a program to guess the most common variations of usernames and passwords on your site. It will use your login form to enter the most common username:password combination (that’s admin:admin, btw). If that fails, the program moves on to the next most common variation. On and on, it just keeps trying different combinations indefinitely. This is why it’s called a Brute Force Attack – it uses brute force to try all possibilities instead of doing something intelligent.

By default, WordPress gives you no defenses against this. If someone is trying this attack against your site, they can just keep trying indefinitely until they guess correctly. You will have no idea it is even happening. But it totally is: WordFence publishes stats on this, and they count over 35 million attacks per day for the ~50 million sites they monitor. So virtually everyone gets attacked, virtually every day.

WordPress having no default protection against should be a crime. But helpfully they devote some space in the Codex to the topic, giving some good technical advice. Our advice puts it much more simply – install and configure a good security plugin. This is step 2 of our tutorial series for implementing all security best practices.

There are a bajillion linux tools out there to help people guess passwords, so you can pick your favorite. Mine is THC Hydra. It is not a specific tool for WordPress. In fact, the methods to guess passwords in WordPress are exactly the same as guessing passwords on any other website. I’ll show you how to use it below, then I’ll show what happens when you implement security.

This attack simulation requires two computers, both of which I’m running as Virtual Machines on my Windows laptop. The attack machine is Kali Linux and the victim is a Bitnami LAMP Server with WordPress 4.8.1 on it. If you are testing your own server, I highly recommend using Kali Linux as a virtual machine to do your testing.

Finding Usernames

The first task in our brute force attack is to find out the user names used to log into the admin panel. On a machine without security defenses, this is very easy to do. At least it’s easy if you know the magic command. Here it is:

for i in {1..15}; do curl -s -L -i$i | grep -E -o “” title=”View all posts by [a-z0-9A-Z-.]*|Location:.*” | sed ‘s/// /g’ | cut -f 6 -d ‘ ‘ | grep -v “^$”; done

Just replace with your own site. To the left you can see a screenshot of what happened when I ran this in my test environment. It returned the username of the one user that I have setup: “admin”.

Screenshot of Username Capture

We no longer have to guess at the user names, we only have to guess passwords. When we use Metasploit or THC Hydra, we’ll tell it that the user is names “admin” and that will greatly reduce the work it has to do in order to break in.

Password Attack with THC Hydra

THC Hydra logoTHC Hydra is a command line tool built exactly for this task. You tell it all of the usernames and passwrds you want to try and then the web page you want to try them on. Then it tries every combination until it finds one that works. It’s faster than most tools like it, and comes installed in Kali Linux.

We need 4 things to make this work:

  1. The Hydra program itself: It comes installed in Kali, so we’re good
  2. The usernames to test: We already know our victim site has a user named “admin”
  3. The passwords to test: Kali comes loaded with a high quality password list called RockYou. It derives from a 2009 data breach of the site We’ll use that.
  4. The url to test against: That’s usually and it’s no different on our victim machine.

Putting this together in Hydra syntax looks like this:

hydra -l admin -P rockyou.txt http-form-post “/wp-login.php?log=^USER^&pwd=^PASS^:login_error”

An then after we press enter, we get back our password in a few minutes. Ugh, it’s no wonder this machine is a victim – the password is also “admin”! Don’t be like this victim, use a hard to guess password.

Hydra Output

Defense with a Security Plugin

We’ve chosen the iThemes security plugin for our demonstrations on this site, and for good reason. But all of the major security plugins defend against this style of attack. After you download and enable the plugin, “Local Brute Force Protection” is part of the one-step security check. iThemes Security CheckLet’s enable it, and then try our attack again.

We can see in the console output that Hydra is telling us that suddenly all of the passwords started working. Haha! Not true! It just got confused when it didn’t see the error it was expecting anymore. None of those passwords work. Too bad, Hydra!

Below are the logs in iThemes. You see a few invalid login attempts, then the IP address gets locked out. This means it can no longer access the site.

Brute Force Logs

Hopefully I’ve convinced you by now that you need both a strong password and a security plugin to prevent brute force attacks. Check out our tutorials to install all of the best practice security defenses on your site. And as always, if you need help just contact us.

Share This

We are using cookies on our website

Please confirm, if you accept our tracking cookies. You can also decline the tracking, so you can continue to visit our website without any data sent to third party services.