This article provides an overview of website security in terms of the main issues small to medium sized business websites are faced with.
Note: We never build our WordPress websites using Admin as the Administrator username. We strongly recommend that if you are buiding your own WordPress website you choose a unique Administrator username.
Overview of Website Security
- Password Guessing Brute Force Attacks
- Directory Guessing Brute Force Attacks
Password Guessing Brute Force Attacks
Brute force - password guessing - attacks are very common against web sites and web servers. They are one of the most common vectors used to compromise web sites. The process is very simple and the attackers basically try multiple combinations of usernames and passwords until they find one that works.
Once they get in, they can compromise the website with malware, spam, phishing or anything else they want.
Brute Force Targets
Any website with a login page is a target, but the following are the most commonly attacked pages via brute-force:
- WordPress wp-admin/wp-login.php login pages.
- Joomla /administrator/.
- Drupal /admin/.
- Magento /index.php/admin/.
- vBulletin /admincp/.
- Generic /login pages.
Username and Passwords
Most attacks rely on a dictionary of the most commonly used usernames and passwords and try all of them.
Here are a few examples of weak passwords used for website logins:
And that is just a few entries. Most attacks try thousands of password combinations.
Brute Force Protection
Inexperienced users are generally bad at choosing passwords and that's what these attacks try to exploit. You can minimize the risks by rate limiting login attempts, choosing good passwords and restricting access to the admin pages to only white listed IP addresses.
Directory Guessing Brute Force Attacks
Brute force - directory guessing - attacks are very common against web sites and web servers. They are used to find hidden directories or folders on a site and use that to try to compromise it.
Directory Guessing Targets
Attackers generally focus on directories (folders) that can contain outdated or insecure software. These are the top directories we see being scanned:
- /phpmyadmin (or /phpmyadmin-versionnumber)
Directory Guessing Protection
A directory guessing attack often generates thousands of 404 (not found) errors on the logs. If you monitor your logs, you should be able to identify them and block the attacker IP Address.