It’s absolutely frightening how many attempts are being made to break into blogs. Even this blog, which is just 2 months old, is under frequent attacks. But, are you aware of the scale of the problem and what are you doing about it?
This site is new. There’s no Google Reputation to worry about and it’s only just starting to get traffic. But hackers have found it and are taking an interest.
In the last 90 minutes I’ve been watching my blog as it is under attack from what looks to be several hackers. Why, I have no idea. Most likely because I have made posts about how to increase blog security. Maybe they want to stop me from telling other people how to protect themselves.
I’m recording all of the failed attempts to watch what they are doing and there’s around 100 failed attempts in those 90 minutes. However, by watching these failed attempts it’s quite easy to see that they are very basic and the first level of security is working – use a difficult to guess username.
On top of that the passwords are all very basic. You can see the list that I’ve collected so far here. They certainly are poor passwords to use and demonstrate that you really do need strong passwords that do not have any predictable sequences in them.
Another level of security that I do apply is being avoided here. The attackers are managing to use a whole array of ip addresses, so I’m guessing that they could be employing computers that have been taken over by viruses to ensure they hit me from different IP addresses.
Normally, from such a huge amount of attempts Limit Login Attempts would do it’s job and lock them out. However, they are skipping around so much that it’s job becomes far harder. Also, just for the “fun of it”, whilst I’m monitoring the site I’ve set the lockout limit much higher so that I can continue to watch what the attackers try.
What have I learned so far?
- Use a complex userid. The attempts are coming in triplets, each trying the same password, from a different IP address and these 3 userid: admin, administrator, 13weekchallenge.co (obviously created from a bot that hasn’t realised that .co is part of the URL suffix!)
- A complex password is required. Write it down if needs be, or store it somewhere secure. But anything with a regular pattern might be guessed. e.g., some attempts are qazwsx and 159753. Look on the keyboard (a numeric keyboard for the second one) to see why they might be popular.
- Monitoring attempted break-ins is essential. In fact I’m also monitoring successful logins. If it looks like a hacker might have guessed your username or password then you might just have time to change it before they guess the other half of the pairing.
However, I’ve now had enough of compiling my “useless passwords list” and so have increased the security on this blog once more, adding in a new plugin to my favourite security plugins list. Now I’m limiting logins to the admin system to people in the UK only.
They won’t give up and I’ll still be recording the attempts, it’s just another layer of security to protect the blog with. Should they guess the combination, this extra plugin will stop them from actually getting logged on!