Update WordPress Now: Reuters Hacked
Originally posted on Lorelle on WordPress:
Sucuri, the web security specialists, published “Brute force attacks against WordPress sites,” an in depth look at not just the importance of a strong password but the brute force nature and anatomy of login and registration access attacks.
There is a technique known as brute-force attack. Like the name implies, access is gained to your environment through brute force. Often conducted by bots, these attacks will run through a compiled list of common passwords and their permutations (i.e., password, Pa$$w0rd, p@ssw0rd, etc..). Yes, the attackers know that you substitute ‘A’ for an ‘@’ and ‘S’ for a ‘$’. Using this method the attackers are gaining access to your wp-admin, this then allows them to serve spam via your posts, deface your home page like we recently saw with ServerPro, and inject any one of the other types of malware roaming the interwebs.
Because of the consistency and prevalence of these attacks, we decided to test it for ourselves. We created a couple different honey pots with the intent of identifying the types of passwords being used, and to better understand the anatomy of these attacks. It didn’t take long. Within a few days, we had captured so much data that we had to share it with you.
The article features a list of the most common passwords used across all secure logins as well as WordPress, and used in these brute force login attacks. By now you should all know that the most common password used worldwide is “password,” proof that we somehow never learn. I’ve written extensively on how to create a strong password, and it appears it’s time for another lesson, especially on how to deal with the famous “admin” login issue with WordPress.