If you have a WordPress site, someone is likely trying to guess your username and password combination. It is easily the most common attack against these sites. This is because it’s an easy attack to automate and undoubtedly it pays off occasionally. In this post, I’ll show you some common methods attackers use to guess your username and password, and then show what happens when you implement simple defenses. What is a WordPress Password Guessing Attack? Simply, this attack is when someone tries to guess your password. An attacker will use a program to guess the most common variations of usernames and passwords on your site. It will use your login form to enter the most common username:password combination (that’s admin:admin, btw). If that fails, the program moves on to the next most common variation. On and on, it just keeps trying different combinations indefinitely. This is why it’s called a Brute Force Attack – it uses brute force to try all possibilities instead of doing something intelligent. Should You be Worried? By default, WordPress gives you no defenses against this. If someone is trying this attack against your site, they can just keep trying
Share This