As added protection for the many WordPress websites we host, we’re pleased to announce that we’ve enabled additional security protection.
This takes the form of Imunify360’s feature that helps to block brute force attacks on WordPress sites.
Brute force attacks are when repeated attempts are made to login to a system using a list of the most commonly used passwords, starting with the most common, which are usually these, or variations thereof:
- 123456
- 123456789
- admin
- Qwerty
- welcome
- Password
- Password1
- p@ssw0rd
- 12345
- Qwerty123
- 1q2w3e
- 12345678
- 111111
- 1234567890
- Q2w3e4r5t
The Imunify360 team learnt that:
- The top 10,000 frequently used passwords were used in half of WordPress the login attempts.
- On average, an attacker will need to try 64 domains, with 14 login attempts on each, to discover an account with a weak password.
- Weak passwords were used for around 10% of successful login attempts. This means that sites with weak user passwords either can be hacked, or they already have been.
The technology works by checking passwords used on login attempts against a list of well-known weak passwords. If a login attempt uses one of these passwords, the user is redirected to a page that prompts him to change his password (see the graphic in this article).
The system isn’t perfect, we’ve learnt. We’ve seen how, sometimes, it will trigger the protection even when a password is quite ‘nasty’, i.e. very unlikely to be on a list of commonly used password. If this happens, this feature can be disabled on a per-hosting-account basis.
The accuracy and quality of this service will improve over time.