Brute force, or password guessing, attacks are very common against websites and web servers. They are one of the most common vectors used to compromise websites. The process is very simple and the attackers basically try multiple combinations of usernames and passwords until they find one that works.
Once they get in, they can compromise the website with malware, spam , phishing or anything else they want.
Brute Force Targets
Any website with a login page is a target, but the following are the most commonly attacked pages:
- WordPress wp-admin/wp-login.php
- Joomla /administrator/
- Drupal /admin/
- Magento /index.php/admin/
- vBulletin /admincp/
- Generic /login pages
Username and Passwords
Most attacks rely on a dictionary of the most commonly used usernames and passwords and tries all of them. They also permutate
entries related to the web site domain and content to increase their success.
We have a few blog posts with more information about this, but these are the top used passwords:
admin
123456
password
12345678
666666
111111
1234567
qwerty
siteadmin
administrator
root
123123
123321
1234567890
letmein123
test123
demo123
pass123
123qwe
qwe123
654321
loveyou
adminadmin123And these are just a few entries. Most attacks try thousands of password combinations.
Brute Force Protection
Humans are very bad at choosing passwords and that’s what these attacks try to exploit. You can minimize the risks by rate limiting login attempts, choosing good passwords and restricting access to the admin pages to only white listed IP addresses.
Any client using our WAF is automatically protected. We restrict access to the login pages to only authorized IP addresses and we also have a brute force detection included that blocks an IP address after too many failed login attempts.