According to Forbes, at least 30.000 websites are hacked daily, with a WordPress market share of 40%, which means at least 12.000 WordPress sites get compromised daily. The two leading causes of these hacks are vulnerable software and compromised accounts. Source
Ensuring you are always running the latest version of WordPress and plugins and themes will prevent many of these hacks. Still, statistics suggest only about 50% of hacked WordPress sites were running outdated software. Taking into account that there might still be some vulnerabilities in up-to-date plugins & themes, this also means that a significant portion of hacks are caused by breaching the login security of accounts.
There are several ways a user’s login account can be compromised
These are the most common attacks:
Brute Force Attack
An attacker that uses a brute force attack systematically tries every possible combination of characters until the correct password is found. This takes a significant amount of time and will only be effective when users use short passwords (less than ten characters). This type of attack is not used very often, and when it is, it is usually targeted at specific accounts on high-value websites.
A dictionary attack involves using a pre-compiled list of commonly used passwords, dictionary words, and known phrases to attempt to crack the password. If the password is a common word or can be found in a dictionary, this method could be faster than a brute force attack.
A credential stuffing attack is a type of attack where attackers use automated scripts or tools to systematically test usernames and passwords stolen from other websites or online services. This is often successful due to the common practice of reusing usernames and passwords across multiple platforms.
A password spraying attack is executed by systematically trying a small number of commonly used passwords across multiple user accounts. Unlike a brute force attack, which involves trying numerous password combinations for a single account, password spraying involves trying a few commonly used passwords against many different accounts.
An attacker will create a copy of the login page and trick you into entering your user and password on the fake website and use this to log in to the real website.
What can i do?
You can do several things to significantly reduce the risk of your account being hacked.
Use a strong password
That means at least 12 characters, preferably a mix of lowercase, uppercase, numbers, and special characters. As an alternative, you can also use “password sentences”. These can be any combination of words as long as “random” and form a sentence of at least 20 characters.
Use unique passwords
Never reuse a password from a different account! Sites are getting hacked daily, and the hackers sell the account & password combinations they steal to anyone that wants to try them on other websites and services.
Limiting feedback on the WordPress login screen
By default, WordPress will tell you if your username or password is incorrect, which tells an attacker if the username exists, making it easier to target valid accounts.
Disable user enumeration
WordPress allows searching for valid user accounts in author pages and the REST API by default.
Rename the admin user on your WordPress site
The admin user account is the most attacked account and the only account often attacked using the brute force method.
Do not use accounts where the username is equal to the display name
This makes it easy for an attacker to find valid usernames based on post authors.
Use multi-factor authentication
This means that besides a username, you will need both a password and a second method to log in. The second method should be valid for one login attempt only and can be a code sent to your e-mail or phone, a code generated by a smartphone app, a hardware key, or your fingerprint or face identification.
Limit the number of attempts a user can enter a wrong password
Securing user accounts on WordPress servers is a crucial aspect of website security. Implementing strong passwords, enabling two-factor authentication, updating software regularly, and using a security plugin like Really Simple SSL can significantly reduce the risk of account compromise.