What does brute force mean?

Brute force attacks are a method by which many login attempts are made to gain access to a system. WordPress is a free and open-source content management system that is used by 41.4% of the top 10 million websites on the internet. The two go together perfectly and attackers regularly target WordPress based websites using brute force methods.

Most websites running WordPress follow some simple rules. One of those rules is that the login page can be located at the "domain.TLD/wp-login.php" URL and that many of the setups are poorly configured without much in the way of security or preventative maintenance. Therefore, you can use some commonly available tools to quickly attack these sites to gain access to the underlying administration panel beneath.

There exist tools such as WPForce that can be ran in combination with a Username List as well as Password List to brute force these sites. While some individuals will rightfully state that this type of attack is also referred to as a Credential Stuffing attack, they cannot argue that it is not effective and simple. You simply load up your application, pass on your credentials, and wait for confirmation—or pivot—if you discover your method is not going to work on that site.

Once you have gained access to the website, you can next use the tool Yertle to attain persistence, activate meterpreter, load a keylogger, dump all of the hashes for the current passwords, and get the database credentials. This is a one stop shop for attackers and the tools themselves are simple to use. Yertle and WPForce are written in 96% Python and 4% JavaScript.

How do you fight it?

Individuals interested in protecting their webservers, developing defenses against these attacks, and preventing brute force or credential spraying attacks must understand the tools used to conduct the attacks themselves. By familiarizing yourself with these tools and their use, you can strategize how to defend yourself from the danger they pose.

Interested in studying cyber security? UAT Network Security degree students use critical thinking to research current and evolving cyber security trends and become experts in network security industry standards and regulations. Graduates from the cyber security program will have the essential knowledge and experience to automate their own security processes through extensive training in network security programs and scripts, and be prepared for careers in government and multinational corporations seeking certified ethical hacking professionals.